Strategic Cybersecurity Thinking

Strategic Cybersecurity Thinking

The ability to come up with effective plans in line with an organization's objectives within a particular cybersecurity situation. Strategic thinking helps cybersecurity managers review policy issues, perform long term planning, set goals and determine priorities, and identify potential risks and opportunities.

Clearly, there needs to be a clear strategy as to what needs to be done with respect to security. Such a strategy should determine the policies and procedures. However in practice rarely a strategy for security is created. Most emphasis is placed on policies, implementation of which is generally relegated to the lowest levels. Rather it is assumed that most people will follow the policy that is created. 

A strategic cybersecurity programme does not begin with tools and tactics, but with an articulation of one or more programme goals. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution. First, the strategy-minded CISO gets executive buy-in to those goals. To that end, the CISO must incorporate all levels of strategic thought, starting with the board and CEO – everyone must feel ownership and participation. 

The smart CISO recognises that security is a journey, not a destination, and that relationship building requires an ability to translate between technical and non-technical vocabularies. The CISO ensures that the programme goals accurately govern the objectives of the enterprise’s digital security programme. In our scenario, the CISO, board, and CEO all agree that, with respect to intellectual property, trade secrets, and sensitive data, the new policy goal is to minimise loss due to intrusion. 

This statement implies that everyone understands that stopping all adversaries and all attacks is simply not possible, especially when dealing with nation-state actors and some advanced criminal groups. The primary objective of this exercise is to achieve consensus on a simply stated, non-technical programme goal. No in-depth technical discussion is needed to achieve consensus, although the CISO must ensure that all goals, policies, and strategies are technically feasible. With a mandate in hand, the CISO can confidently work with his or her security team to plan the necessary operations and campaigns and, if necessary, acquire new tools and tactics to facilitate them. Together, they decide to implement a network security monitoring (NSM) operation, defined as the collection and escalation of indications and warnings to detect and respond to intruders. 

The security team begins the long-term, strategic process of hunting for hostile cyberattack campaigns, encompassing both known and unknown intrusion patterns. The CISO, board, and CEO all agree that a second programme goal is a rapid detection, response, and containment of cyber threats. This goal helps to ensure that when intruders breach the perimeter defences, the game is far from over. 

Defenders can still win, so long as they contain the threat before the attacker can accomplish his or her ultimate mission. Therefore, the security team will develop strategies to identify compromises quickly, determine their nature, give them some level of attribution, and above all develop a plan to stop the attacker from accomplishing his or her mission. At the tactical level of individual engagements with the adversary – the equivalent of battles in war – the security team will have myriad decisions to make, including whether to dislodge the intruder immediately or whether to watch the intruder for a time in order to collect valuable intelligence.

Some tactics govern how specific tools or techniques can be used, such as when Star Trek personnel switch their hand phasers between ‘stun’ and ‘kill’. As always, the adversary gets a say in what happens, but from the enterprise’s point of view, programme goals, policies, and guidelines should be written to govern this entire process.

When IT Act, 2000 is applied, IPC cannot be applied by Police in the FIR

IT Act is a Special Act: case laws By Advocate (Dr.) Prashant Mali
Sharat Babu Digumarti Vs. Govt. of NCT of Delhi. 
MANU/SC/1592/2016. 
Gagan Harsh Sharma and Ors. Vs. The State of Maharashtra and Ors. MANU/MH/3012/2018.
Ajay Murlidhar Batheja Vs. The State Of Maharashtra and Ors. MANU/MH/  /2018.

Special Law:  A law that applies to a place or especially to a particular member or members of a class of persons or things in the same situation but not to the entire class and that is unconstitutional if the classification made is arbitrary or without a reasonable or legitimate justification or basis 1.

The Indian Parliament enacted in the Fifty-First Year of the Republic of India, an act called the Information Technology Act, 2000. This act is based on the resolution A/RES/51/162 adopted by the General Assembly of the United Nations on the 30^TH January 1997 regarding the model law on the electronic commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITAL) in its twenty-ninth session.

The Act is here to protect and provide certain means of redressal even to the owner of a single computer, computer system or computer network located in India which has been violated by any person. The act is the first step to give necessary confidence and protection to the said owner.

The said Act is a special act as it is said section 81 of the act which reads as follows :

Act to have overriding effect.-“The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force. Provided that nothing contained in this act shall restrict any person from exercising any right conferred under the Copy Right Act, 1957 or the Patents Act , 1970(39 of 1970)”.

In the case of Sharat Babu Digumarti v Government (NCT of Delhi) [(2017) 2 SCC 18]  the accused were charged with offences under Section 67 of the IT Act

and Section 292 of the IPC. The question before the Supreme Court was whether the accused who was discharged under Section 67 of the IT Act could be prosecuted under Section 292 of IPC. Placing reliance on non-obstante provisions under Section 81 of the IT Act and Section 67A and 67B, it was held that charge under Section 292 could not survive. The decision was on the basis that Sections 67, 67A and 67B was a complete code regarding offence concerning publishing and transmitting obscene material in electronic form and non-obstante provision under Section 81 makes IT Act a special law that will prevail over the general law, IPC.

On 26 October 2018, a two-judge bench of the Bombay High Court vide its judgment in Gagan Harsh Sharma And Anr vs The State Of Maharashtra And Anr on 26 October, 2018 (Criminal Writ Petition No 4361 of 2018) held that when the offence is sufficiently covered under the provisions of the Information Technology Act, 2000 (IT Act), the IT Act will apply as lex specialis to the exclusion of the Indian penal code, 1860 (IPC). The Bombay High Court vide its judgment quashed and set aside the First Information Report (FIR) insofar as the investigation into the offences punishable under the IPC were concerned, on the basis that the ingredients of offences alleged under IPC were the same as compared to the ingredients of the offences alleged to have been committed under IT Act.

I Got this Bail in the sessions court. Police often apply IPC Section 379 in data theft cases along with Section 43 & 66 of the IT Act,2000 .

I argued along with above case laws for non-applicability of IPC S379 which was only added by police to make the offense Non-Bailable, special Act i.e IT Act,2000 when applied IPC sections do not apply. Court has accepted my argument on the merits of Law and granted the Bail

Bail Order of sessions court  - Download Link

In the case of Ajay Murlidhar Batheja vs The State Of Maharashtra And Anr on 26 October 2018 (CRIMINAL APPLICATION NO.1217 OF 2018) the Bombay high court held “We are therefore not inclined to quash the said FIR as far as the offences under the Information Technology Act are concerned, however, we hold that the invocation and application of the provisions of the Indian Penal Code and specifically, Section 420, is not sustainable in light of the judgment Sharat Babu Digumarti v/s. Government (NCT of Delhi) (Supra)”.

Thus we can see that the provisions of this Act will prevail notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Nevertheless, by virtue of new proviso the scope of the overriding effect shall not restrict any person from exercising any right conferred in Copy Rights Act,1957 or the Patents Act,1970. The idea behind the new proviso is to protect the rights of intellectual property rights holder under the Copyright At or the Patents Act.

Conclusion:

It is often found that police in cybercrime matters to make the offence nonbailable will add 379 or 420 or 408 of the Indian Penal Code. The above case laws clearly indicate that when sections of the IT Act,2000 are applied sections from the general law namely IPC should not be added.

By Advocate (Dr.) Prashant Mali [MSc (Computer. Sci.) LLB, LLM, Ph.D. in Cyber Law]

Mobile: +919821763157

Email: cyberlawconsulting@gmail.com

Twitter: @AdvPrashantMali

References :

1. “Special law.” The Merriam-Webster.com Legal Dictionary, Merriam-Webster Inc., https://www.merriam-webster.com/legal/special%20law. Accessed 14 January 2020.

E-tender Landmark case judgment in Shapoorji Pallonji Co Vs State, Mhada, NIC & Ors

Final Judgement for Download

E-tender case of BDD Chawl Development project of MAHADA
Verified button pressing not registered on the software, but the tender files submitted on the server. Hon. Bombay HC asks NIC to team with MAHADA to submit the uploaded files and consider Shapoorji Pallonji Co. Pvt. Ltd as valid bidder.

This was the best landmark judgement where i (Prashant Mali) was acting as Expert Legal Counsel in e-tender matter along with Iqbal Chagla & Ravi Kadam (famous Sr. Advocates). My Legal opinion delivered earlier played a crucial role in defending the matter.
For this was one of the historical case in my carrier and also is a landmark case in e-tender and Information technology domain.

Shapoorji Pallonji & Company Pvt. Ltd. Vs State of Maharashtra, Mhada, NIC & Ors

A interesting Judgement in e-tender & technology Case of Bombay High Court

11000 Crores India Biggest Redevelopment Project of BDD Chawls in Mumbai

The bid document was to be down loaded from the e­tender website ww.mahatenders.gov.in from 3rd April, 2017 to 17th May, 2017 and the bidders were advised to refer to bidders' manual kit available at http://mahatenders.gov.in for details about e­tender process to be followed. The last date of the submission of the OnLine bid was scheduled as 17th May, 2017 which was extended from time to time and lastly it was fixed as 27th July, 2017 at 13.00 hours IST. NIC was entrusted with the duty of officially hosting, designing and developing websites and servers for various governmental agencies as an expert body and hosts http://mahatenders.gov.in on its server, this particular tender for BDD Chawls was hosted for MHADA.

Shapoorji Pallonji Pvt. Ltd raised certain pre­bid queries and uploaded its technical and financial bid on 27th July, 2017 at about 12.16 hrs on e­procurement system . 

The Contention

In this case, the Shapoorji Pallonji Pvt. Ltd my client has uploaded the technical and financial documents before the bid submission end date and time. However, it was alleged that they have not clicked on the freeze button. Unless or otherwise the freeze button is clicked, the document will not be available to the tender inviting authority i.e MHADA and will remain in the area allocated for the bidder in the servers of NIC.
What was the solution:
So in Public Interest NIC was needed retrieve the encrypted bid files uploaded to their servers by my client and submit the uploaded files to MHADA for decryption and consideration for bidding .

Court held that that technology has its own glitches and the moot question is whether such glitches, which causes substantial injustice are permitted to be cured manually. Court said when as on today we have not reached a stage where the systems is full proof and gives a guarantee that it is not susceptible to any error.The impact of technology in our life today, is unimaginable. We use technology every day and it has saved us of time and efforts. Introduction of the e­-tendering system has made the cumbersome process of tenders simple, faster and also free from unnecessary human intervention. However, in a situation with which we have dealt with above, the question is whether the use of the technology has offered solutions or it has created issues. The increased dependency on modern technology has reduced our creativity and human being is dependent upon the said technology which undisputedly is an useful servant but a dangerous master. In words of Albert Einstein “human spirit must prevail over technology”. 
In the present case in hand court observes that uncertainty prevails in certain areas and no technology can make the system 'full proof' and as such a situation where the technology can err, we cannot completely exclude the element of human intervention in exceptional circumstances. Ultimately, it is the human being who controls the technology and when it errs, it is for the human being to rectify it. No solution is coming from the expert and the technology operator­ NIC as to what happens if the “freeze button is not clicked”. 
On the other hand, the NIC itself shows that once the bids are uploaded, they remain safe and saved and human intervention is not possible. Court felt it expedient to intervene in the technological procedure since we feel that the technology has failed to serve its intended purpose in the present case and interest of justice call for intervention. Every citizen has legal and fundamental rights which are required to be protected and in a digital world the said rights cannot be lost sight of but the same are to be protected by providing alternative and effective solutions, to be introduced into the modern technology/web­system and in the process of tender it is very much necessary to ensure that the bidders are not shunted out of the procedure only on account of any technical glitch and technology needs to be developed in a manner to cater to their needs without causing any delay in the scheduled time. We also makes it clear that we are inclined to grant relief to the petitioners, considering 'public interest and the fact that the bid of petitioners (technical/financial) are already sealed after their uploading and no changes are possible now, and we treat this as sealed packets submitted within date and time as per tender document.

Court issued directions to the NIC to access the files containing the bid documents of the petitioners and transfer and/or make it available to respondent no.2 MHADA which would decrypt the said files and consider the bid documents of the petitioners as a “valid bid” with the assistance of the NIC and open the technical bid of the Shapoorji Pallonji Co. Pvt Ltd..

Final Judgement for Download

A man from Odisha gets six years of Jail in cyber pornography Section 67A: A Revenge Porn Case

Judgement Dowload link

A Judicial Magistrate in Puri today sentenced a man to six years of imprisonment in a cyber pornography (A revenge Porn) case, stated to be the first such case.

Puri Sub-Divisional Judicial Magistrate Shibasis Giri also slapped a Rs-9,000 fine on the convict, Jayanta Kumar Das an alleged RTI activist, A fake profile was created by the accused in the name of the victim woman from Puri Township in a pornographic site, who then had uploaded the woman’s name, address, photo and phone number on a pornographic website in 2012 to take revenge against her husband.After her personal info was posed on the site, the victim started receiving calls from numerous persons enquiring about her interest in paid sex and wife swapping.

The husband of the woman, a local journalist, had written about several cases involving the convict.

The crime branch had arrested Das on September 18, 2012, following a complaint filed by the victim in July.He was booked under several sections of the Indian Penal Code and Information Technology Act, 2000. Sections 292, 465, 469, 500 of the Indian Penal Code and 66(C) and 67A of the Information Technology Act,2000(cyber law of India) were applied

The conviction was procured on evidence, including crucial witness statements of scientists from the Central Forensic Science Laboratory, Kolkata.

My Views:

I highly appreciate the conviction upheld as India is short of convictions for cyber crimes committed. This remains first of a kind of conviction in odisha state and could be a first serious conviction of a revenge porn in India. Maligning and destroying a girls life by defaming her online often kills a ladies zeal to live. 

I feel if the convict moves for appeal, his punishment under sections of IPC would be set aside by the High Court in the light of decision made under Sharat Babu Digumarti Vs State Govt of NCT of Delhi but punishment under Sections 66(c) & 67A could be confirmed on merits of the case.

Is Credit or Debit Card PIN a Electronic Signature as per the Law ?

Is Credit or Debit Card  PIN a Electronic Signature as per the Law ?

For Lawyers across the world, click and wrap agreement i.e. the act of ticking an icon in the shape of a box to accept the terms of a contract can hardly count as a form of signature. In the physical world, that must be right. Similarly, it might be questioned that a personal identity number (PIN) can also be considered to be an electronic signature.

Arguably, the PIN combines two functions. Before considering the two functions, consider the requirements of the bank. The bank needs to satisfy itself that:

1. The card is legitimate (this is difficult to achieve, as the reports about fraud demonstrate), and

2. The card is in the possession of the customer to whom it was issued, or a person authorised by the customer to use the card.

If the bank satisfies itself that its computer systems are interacting with the card issued to the customer (which is not always the case), then the computer system requests the purported customer to undertake one further act to confirm they (or a person authorised by them) have physically inserted the card into the ATM or the point of sale terminal, by keying in the correct PIN. Generally, if the computer systems receive positive results from both interactions, then the bank will permit the person at the ATM or the point of sale terminal to undertake whatever activity they are permitted to do within the terms of the mandate.

The first function of the PIN acts as a means of authentication. The PIN purports to demonstrate that the person that keyed in the PIN knew the correct PIN (there are some forms of attack that do

The first function of a PIN

Prefacenot need the correct PIN – any combination of numbers will act vii to deceive the card issuer that the correct PIN has been keyed in).

Once the computer systems of the bank are satisfied that the card is legitimate and the PIN is the correct PIN of the customer, then the person at the ATM or the point of sale terminal can undertake any activity on the account that is permitted within the mandate and within the limitations of the technology.

The second function of a PIN

The PIN, even though it is offered to the machine before a transaction is effected, acts as a signature to verify a payment or other form of transaction. This means that the presentation of a card to an ATM, and the input of a PIN, is similar to a cheque that is written out by the account holder, signed, and then presented to the cashier at the bank. The customer completes the action necessary to request a payment in advance of the payment being made by the cashier, and then signs the cheque in the presence of the cashier – all before receiving acknowledgment that a transaction has been authorised. This means the PIN is a form of electronic signature.

It might be considered that the action of clicking the ‘I accept’ icon or box, or typing in a PIN are merely a means by which the person agrees to conclude the contract, but the act is not that of appending their electronic signature.
This analysis might be right, but we must recall that the digital world is different to the physical world. Conceptually, some of the forms of electronic signature may not strictly be considered ‘signatures’ in the physical world. Nevertheless, it is a convenient shorthand to refer to some forms of agreeing to enter a contract as an ‘electronic signature’ – at least we can all understand the meaning behind these words, even if the form is not quite what we expect.

Case Law:

Standard Bank London Ltd v. Bank of Tokyo Ltd [1995] CLC 496; [1996] 1 C.T.L.R. T-17 and Industrial & Commercial Bank Ltd v. Banco Ambrosiano Veneto SpA [2003] 1 SLR 221, where a message using an authentication code sent through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system has the legal effect of binding the sender bank according to its contents, and where a recipient bank undertakes further checks on credit standing or other aspects, it does not detract from this proposition. 

What is ones responsibility as a cardholder?

You, and all your supplementary cardholders, must take all reasonable precautions to prevent the card and the card number, the PIN, or any other security details for the card or account (the “card security details”) from being misused or being used to commit fraud. These precautions include:

• sign the card as soon as it is received and comply with any security instructions;
• protect the card, the PIN, and any card security details;
• do not allow anyone else to have or use the card;
• do not write down the PIN or the card security details nor disclose them to anyone else including the police and/or banks staff;
• do not allow another person to see your PIN when you enter it or it is displayed;
• do not tamper with the card;
• regularly check that you still have your card;
• keep card receipts securely and dispose of them carefully; and
• contact bank about any suspicious matter or problem regarding the use of the card at a terminal.

You must notify bank immediately if:

• your card is lost or stolen; or
• your PIN may have been disclosed; or
• your card is retained by an ATM; or
• your address or contact details have changed

Definition of Electronic Signature in various Countries

USA:
Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §§ 7001-7003. 
ELECTRONIC SIGNATURE. – The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. 

CANADA:
The Uniform Electronic Commerce Act provides a single, media neutral, definition of an electronic signature in s1(b):

(b) “electronic signature” means information in electronic form that a person has created or adopted in order to sign a document and that is in, attached to or associated with the document.

 China:

Order No. 24 of the President of the People’s Republic of China, promulgated on and effective since 4 April 2015, amending the 2004 law.  

Electronic Signatures Law of the People’s Republic of China of 2015. Article 2 provides a definition of electronic signature and data message, both of which are widely drafted:

“Electronic signature” in this law means data in electronic form in or affixed to a data message, which may be used to identify the signatory in relation to the data message and to indicate the signatory’s approval of the information contained in the data message.

“Data message” means information generated, sent, received or stored by electronic, optical, magnetic or similar means.
EU:

The Regulation provides the definition of an electronic signature in article 3(10)
‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;

India:

Sec 2 (ta) of Information Technology Act 2000 had defines electronic signature as
“Authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature.”
The definition of electronic signature includes digital signature and other electronic technique which may be specified in the second schedule of the Act, thus an electronic signature means authentication of an electronic record by a subscriber by means of electronic techniques. The adoption of ‘electronic signature’ has made the Act technological neutral as it recognizes both the digital signature method based on cryptography technique and electronic signature using other technologies.