Cyber security : news and updates

What is the News?
To provide Cyber security training to staffs Ministry of Railways has joined hands with the Centre for Development of Advanced Computing (C-DAC).  The training will educate its officials on Internet ethics, cyber hygiene and best practices in the use of IT equipment, including mobile phones.

This is a part of C-DAC’s National Cyber Security Strategy. The training was decided based on the recent cyberattacks across the railway network during the ongoing pandemic.

Use of IT infrastructure in Railways:

• The Indian Railways uses IT infrastructure for the Passenger Reservation System (PRS).  PRS is the nationwide online passenger reservation and ticketing system for railways.
• E-payment is also provided as part of the Freight Operations Information System(FOIS).

 Why cyber security training is needed?

• The PRS includes passengers identities, proof of address, passenger mobile number and net banking/card payment details. So any cyber breach will endanger the sensitive data of the passengers.
• Indian Railways has seen a number of cyber breaches in various IT applications of railways. For example, illegal applications were used to book tickets, bypassing the railway firewall.
• These incidents occurred due to improper handling of the IT assets by the personnel.
• Further, these breaches increased after the lockdown due to an increase in electronic modes of communication in official working. So cyber security training is much needed.
• Hence, it was necessary that all railway officials took responsibility and follow adequate procedures when using IT infrastructure. This is important for ensuring confidentiality, privacy in dealing with official information.

Source: The Hindu

Synopsis: Deepfakes are becoming a huge threat. This AI-based technology has been used to incite violence and disrepute people. Recently, it was used allegedly used to incite violence in the US.

What are Deepfakes?

• Deepfakes are modified images, text, audio, and video or synthetic media, created with the help of Artificial Intelligence.
• It generates a fake version from an original or real audio-visual content by superimposing new audio or image on an existing media file.

• • For example; with the use of AI, the face of a person in an original video can be replaced with the face of another person (Morphing). Now the modified face will mimic the head movements, vocal patterns, and facial expressions of the original one.

• Media is manipulated with such sharpness that it becomes almost impossible to identify the difference between fake and real media. It can only be identified by using AI tools.

Read – Capitol building coup attempt in US: Reasons behind launch and failures – ForumIAS Blog

Threats of Deep Fakes

• Deep fakes can be used to disrupt the democratic processes like elections in any country.

• • It is believed that Capitol Hill violence was incited by using deep fake media which caused misinformation and disinformation.

• Deep Fakes are used to stain the reputations of individuals and spread propaganda against them.
  • According to a deep fake tracking research organization, in the month of October alone, over 100,000 fake nude images of women were circulating online.
  • Real images for that purpose were acquired through social media accounts.
• The existence of deep fakes causes that much distrust among the public that any true evidence of a crime can easily be dismissed as fake.
• These technologies can be used by terrorist organizations and insurgents to further their agenda of destabilizing state governments. They can spread false information about institutions, public policy, and politicians for this purpose.
• The existing legal framework of many countries including India does not criminalize deep fakes.

Regulations of Deep fakes 

In US: As per US law, Social Media Companies cannot be held responsible for the posts on their platforms.

In India: Some provisions in the Indian Penal Code (IPC) and Information Technology Act, 2000 criminalize a few related cybercrimes. But there is no specific law as of now to deal with deep fakes.

Issues in India’s legal system 

• Sections 66E, 67, 67A, and 72 of the IT act deal with the violation of privacy and publishing or transmitting obscene material in electronic form.

• • But these provisions can also result in penal consequences for the victim, for voluntarily producing such material.

• The Information Technology Intermediary Guidelines (Amendment) Rules, 2018 are insufficient to tackle content manipulation on digital platforms.

• • Guidelines require that intermediate companies take necessary steps for the removal of illegal content.

• During the 2019 general election of India, the election commission gave out instructions on the use of social media for election campaigns. Social media companies also agreed to take action to prevent any violations.

• • However, it has been reported that social media platforms like WhatsApp were used for spreading misinformation and propaganda during the election.

What are the steps to be taken?

Existing laws are not enough to protect individuals against deep fakes. Only AI-generated tools can be effective in detection.

• AI-based detection tools with the capability to detect deep fakes must be invented as soon as possible.
• In 2020, the University of Washington and Microsoft arranged a workshop with experts to discuss how to avoid deep fake technology from harmfully affecting the 2020 U.S. presidential election. The workshop concluded with the following suggestions:

• • Deep Fakes must be included under hateful manipulated media, propaganda, and disinformation campaigns.
  • Journalists should be provided with tools to examine the authenticity of images, video, and audio recordings. For that, they require proper training and resources.
  • Policymakers need to understand how deep fakes can threaten polity, society, economy, culture, individuals, and communities.

Way forward

The best way to deal with this menace is AI-backed technological tools to detect and prevent deep fakes. These tools must be invented by the countries in cooperation as soon as possible. If steps are not taken immediately, these technologies are even capable of invoking wars among countries, in this information age.

Synopsis– Present data-based technological development and Personal Data Protection Bill 2019 presents a unique challenge to the privacy of individuals.  

Introduction Personal Data Protection Bill 2019   –

By Puttaswamy v India (2017) case, privacy was established as a fundamental right. In other cases, MP Sharma v. Satish Chandra (1954) and Kharak Singh v. Uttar Pradesh (1962), as well, Privacy rights were upheld by SC.  

However, the development of global technology and implementation of the Aadhaar biometric programme in India have diluted the effect of these rulings. Now there is an urgent need to take a new look at the legal position of privacy in India. 

As depicted by Aadhaar based technology and global social media platforms, data has become a new oil i.e., it has become a tool for economic and political gain. It created a stream of data protection legislations, globally. India is also trying to join the league by Personal Data Protection Bill 2019 (DPB).   

In India, the Personal Data Protection Bill 2019 (DPB) is currently under consideration by a parliamentary committee. There are various issues in this bill that go against the privacy rights of individuals. 

Commercial and Political consequences of the Data Protection Bill (DPB): 

Data Collection related issues  

• First- Bill will negatively impact the emerging technologies market of India dealing in creation, use, and sale of data that is valued at $1 trillion by 2025.  
• Second- The bill requires digital firms who want to operate in India to obtain permission from users before collecting their data.  
• Third– Bill also declares that users who provide data are, in effect, the owners of their own data and may control its usage or request firms to delete it.  
  • • European internet-users are able to exercise a “right to be forgotten” and have evidence of their online presence removed. 
• Fourth– The bill allows the government to use “critical” or “sensitive” personal data, related to information such as religion, to protect national interest. 

• Fifth– Open-ended access to government could lead to misuse of data. Mr. B N Srikrishna, the chairmen of the drafting committee of the original bill, warned that government-access exemptions risk creating an “Orwellian state”.

Issues related to Establishment of Data Protection Authority (DPA)  

• Bill aims to establish a Data Protection Authority (DPA), which will be charged with managing data collected by the Aadhaar programme. 
  • • Authority will consist of chairperson and six committee members,  
    • Members will be appointed by the central government on the recommendation of a selection committee.
    • Members will be selected from senior civil servants, including the Cabinet Secretary. 
• The government’s power to appoint and remove members at its discretion provides it an ability to influence the independence of agency.
• Unlike similar institutions, such as the Reserve Bank of India or the Securities and Exchange Board, the DPA will not have an independent expert or member of the judiciary on its governing committee.
• The UIDAI, for its part, has a chairperson appointed by the central government and reporting directly to the Centre.

Issues related to government use of data for surveillance

There are instances that suggest, India is acquiring some features of a surveillance state. 

• As stated by the Union Home minister recently, police used facial recognition technology to identify people after the anti-CAA protests and the Delhi riots. 
• There is a high possibility that police was matching the video offstage with the database of Election Commission and e-Vahan, a pan-India database of vehicle registration.

Issue related to safety of data 

There are instances of controversy where government has shown casual approach towards data safety and privacy of its citizens:  

• First, Safety concerns were raised during aadhaar data collection, which stores biometric data in the form of iris and fingerprints which is a violation of right to privacy.  
• Second instance was of Aarogya Setu contact-tracing app which was allegedly not able to protect the data provided by citizens.  

Way Forward 

• The Data Protection Bill is a unique opportunity for India, a country with some 740 million internet users.  It would be a standard setter for privacy of individuals. 
• Inclusive debate needs to take place in the Joint Parliament Committee and then in Parliament to examine the Data Protection Bill and promote transparency.

News: The ‘Solar Winds hack’, a cyberattack discovered in the United States, has emerged as one of the biggest ever targeted against the US government.In fact, it is likely a global cyberattack.

Facts:

• SolarWinds Hack also called the Supply Chain attack is a cyberattack discovered in the United States.
• Instead of directly attacking the federal government or a private organisation’s network, the hackers target a third-party vendor which supplies software to them.

Additional Facts:

• Cyberattack: It is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization.
• Common types of cyber attacks
  • Malware: Malware (malicious software) refers to any kind of software that is designed to cause damage to a single computer, server or computer network.
  • Phishing: It is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email.The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.
  • Zero-day exploit: A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time.
  • Man-in-the-middle (MitM) attacks also known as eavesdropping attacks occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter and steal data.

News: Ministry of Electronics & Information Technology (MeitY) has released the Draft Data Centre Policy,2020.

Facts:

• Aim: Making India a Global Data Centre hub, promote investment in the sector, propel digital economy growth, enable provisioning of trusted hosting infrastructure to fulfil the growing demand of the country and facilitate state of the art service delivery to citizens.

Key Features of the Policy:

• Infrastructure Status: Provide Infrastructure Status to the Data Centre Sector at par with other sectors like Railways, Roadways and Power.
• Single Window Clearance: A single-window, time-bound clearance system for all the approvals required to set up a data-centre park.
• Incentivization Scheme: Formulation of Data Centre Incentivization Scheme (DCIS) which will specify the intended beneficiaries, applicability criteria and fiscal and non-fiscal incentives for the sector.
• Essential Service: Data centres will be declared as an Essential Service under “The Essential Services Maintenance Act, 1968 (ESMA)” which means that there would be a continuity of services even during times of calamities or crisis.
• Inter-Ministerial Empowered Committee(IMEC): It would be set up under the Chairmanship of Secretary, MeitY with participation from various Central Ministries and State Governments to facilitate the implementation of various measures in the sector.
• Data Centre Industry Council(DCIC): An independent Data Centre Industry Council(DCIC) is proposed to be set up which would act as an interface between the sector and the Government.
• Training: Collaboration with the Ministry of Skills Development and Entrepreneurship(MSDE) and leading academic institutes to impart training to workforce on Data Centre, Digital and Cloud technologies, and facilitate sector linkages for such trained workforce.

Additional Facts:

• Data Centre: It is a dedicated secure space within a building where computing and networking equipment is concentrated for the purpose of collecting, storing, processing, distributing or allowing access to large amounts of data.
• Data Centre Parks: These are specialized secure Data Zone located with the most conducive non-IT and IT infrastructure and regulatory environment for housing mix of small scale / large scale / clusters of Data Centres to serve the high needs of compute, storage, networking and provision of a wide range of data-related services.