Computer security (Also known as cybersecurity or IT Security) is information security as applied to computers and networks.

The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction. Computer security also includes protection from unplanned events and natural disasters.

Cybersecurity breach stories

One true story that shows what mainstream generative technology leads to in terms of online security breaches is the story of the Internet's first worm. In 1988, 60,000 computers were connected to the Internet, but not all of them were PCs. Most were mainframes, minicomputers and professional workstations. On November 2, 1988, the computers acted strangely. They started to slow down, because they were running a malicious code that demanded processor time and that spread itself to other computers. The purpose of such software was to transmit a copy to the machines and run in parallel with existing software and repeat all over again. It exploited a flaw in a common e-mail transmission program running on a computer by rewriting it to facilitate its entrance or it guessed users' password, because, at that time, passwords were simple (e.g. username 'harry' with a password '...harry') or were obviously related to a list of 432 common passwords tested at each computer.[10] The software was traced back to 23 year old Cornell University graduate student Robert Tappan Morris, Jr.. When questioned about the motive for his actions, Morris said 'he wanted to count how many machines were connected to the Internet'.[10] His explanation was verified with his code, but it turned out to be buggy, nevertheless.

Cyber security standards

Cybersecurity standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cybersecurity attacks. These guides provide general outlines as well as specific techniques for implementing cybersecurity. For certain specific standards, cybersecurity certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cybersecurity insurance. (Spelling of Cyber Security or Cybersecurity depends on the institution, and there have been discrepancies on older documents [1]. However, since the U.S. Federal Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, most forums and media have embraced spelling "cybersecurity" as a single word.)

History[edit]
Cybersecurity standards have been created recently because sensitive information is now frequently stored on computers that are attached to the Internet. Also many tasks that were once done by hand are carried out by computer; therefore there is a need for Information Assurance (IA) and security.

ISO 27001[edit]
Main article: ISO/IEC 27001 ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard. The latest versions of BS7799 is BS7799-3. Sometimes ISO/IEC 27002 is therefore referred to as ISO 17799 or BS 7799 part 1 and sometimes it refers to part 1 and part 7. BS 7799 part 1 provides an outline or good practice guide for cybersecurity management; whereas BS 7799 part 2 and ISO 27001 are normative and therefore provide a framework for certification. ISO/IEC 27002 is a high level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organisation to obtain certification to the ISO 27001 standard. The certification once obtained lasts three years. Depending on the auditing organisation, no or some intermediate audits may be carried out during the three years. ISO 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible any organization working toward BS 7799 part 2 can easily transition to the ISO 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO 27001-certified. ISO/IEC 27002 states that information security is characterized by integrity, confidentiality, and availability. The ISO/IEC 27002 standard is arranged into eleven control areas; security policy, organizing information security, asset management, human resources security, physical and environmental security, communication and operations, access controls, information systems acquisition/development/maintenance, incident handling, business continuity management, compliance.[2] ISO 27001 provides the management system required to implement ISO 27002 control objectives. Without ISO 27001, ISO 27002 controls objectives are ineffective. ISO 27002 controls objectives are incorporated into ISO 27001 in Annex A. ISO/IEC 21827 (SSE-CMM ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO controls objectives.

Standard of good practice[edit]

Main article: Standard of Good Practice In the 1990s, the Information Security Forum (ISF) published a comprehensive list of best practices for information security, published as the Standard of Good Practice (SoGP). The ISF continues to update the SoGP every two years; the latest version was published in 2011. Originally the Standard of Good Practice was a private document available only to ISF members, but the ISF has since made the full document available for sale to the general public. Among other programs, the ISF offers its member organizations a comprehensive benchmarking program based on the SoGP. Furthermore, it is important for those in charge of security management to understand and adhere to NERC CIP compliance requirements.

NERC[edit]
Main article: North American Electric Reliability Corporation The North American Electric Reliability Corporation (NERC) has created many standards. The most widely recognized is NERC 1300 which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-1 through CIP-009-2 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes. [3]

NIST[edit]
Main article: NIST 1. Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems. [4] 2. Special publication 800-14 describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document. [5] 3. Special publication 800-26 provides advice on how to manage IT security. This document emphasizes the importance of self assessments as well as risk assessments. [6] 4. Special publication 800-37, updated in 2010 provides a new risk approach: "Guide for Applying the Risk Management Framework to Federal Information Systems" 5. Special publication 800-53 rev3, "Guide for Assessing the Security Controls in Federal Information Systems", updated in August 2009, specifically addresses the 194 security controls that are applied to a system to make it "more secure".

ISO 15408[edit]
Main article: Common Criteria This standard develops what is called the Common Criteria. It allows many different software applications to be integrated and tested in a secure way.

RFC 2196[edit]
RFC 2196 is memorandum published by Internet Engineering Task Force for developing security policies and procedures for information systems connected on the Internet. TheRFC 2196 provides a general and broad overview of information security including network security, incident response, or security policies. The document is very practical and focusing on day-to-day operations.

ISA/IEC-62443 (Formerly ISA-99)[edit]

ISA/IEC-62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems. These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released asAmerican National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards. All ISA work products are now numbered using the convention ISA-62443-x-y and previous ISA99 nomenclature is maintained for continuity purposes only. Corresponding IEC documents are referenced as IEC 62443-x-y. The approved IEC and ISA versions are generally identical for all functional purposes. ISA99 remains the name of the Industrial Automation and Control System Security Committee of the ISA. Since 2002, the committee has been developing a multi-part series of standards and technical reports on the subject. These work products are then submitted to the ISA approval and publishing under ANSI. They are also submitted to IEC for review and approval as standards and specifications in the IEC 62443 series.

Planned and published ISA-62443 work products for IACS Security.

All ISA-62443 standards and technical reports are organized into four general categories called General, Policies and Procedures,System, and Component. 1. The first (top) category includes common or foundational information such as concepts, models and terminology. Also included are work products that describe security metrics and security life cycles for IACS. 2. The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program. 3. The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model. 4. The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products. The planned and published ISA-62443 documents are as follows:

Group 1: General

ISA-62443-1-1 (IEC/TS 62443-1-1) (formerly referred to as "ISA-99 Part 1") was originally published as ISA standard ANSI/ISA-99.00.01-2007, as well as an IEC technical specification IEC/TS 62443-1-1. The ISA99 committee is currently revising it to make it align with other documents in the series, and to clarify normative content.

ISA-TR62443-1-2 (IEC 62443-1-2) is a master glossary of terms used by the ISA99 committee. This document is a working draft, but the content is available on the ISA99 committee Wiki.

ISA-62443-1-3 (IEC 62443-1-3) identifies a set of compliance metrics for IACS security. This document is currently under development and the committee will be releasing a draft for comment in 2013.

ISA-62443-1-4 (IEC/TS 62443-1-4) defines the IACS security life cycle and use case. This work product has been proposed as part of the series, but as of January 2013 development had not yet started.

Group 2: Policy and Procedure

ISA-62443-2-1 (IEC 62443-2-1) (formerly referred to as "ANSI/ISA 99.02.01-2009 or ISA99 Part 2") addresses how to establish an IACS security program. This standard is approved

and published the IEC as IEC 62443-2-1. It now being revised to permit closer alignment with the ISO 27000 series of standards.

ISA-62443-2-2 (IEC 62443-2-2) addresses how to operate an IACS security program. This standard is currently under development. ISA-TR62443-2-3 (IEC/TR 62443-2-3) is a technical report on the subject of patch management in IACS environments. This report is currently under development. ISA-62443-2-4 (IEC 62443-2-4) focuses on the certification of IACS supplier security policies and practices. This document was adopted from the WIB organization and is now a work product of the IEC TC65/WG10 committee. The proposed ISA version will be a U.S. national publication of the IEC standard.

Group 3: System Integrator

ISA-TR62443-3-1 (IEC/TR 62443-3-1) is a technical report on the subject of suitable technologies for IACS security. This report is approved and published as ANSI/ISATR99.00.01-2007 and is now being revised.

ISA-62443-3-2 (IEC 62443-3-2) addresses how to define security assurance levels using the zones and conduits concept. This standard is currently under development. ISA-62443-3-3 (IEC 62443-3-3) defines detailed technical requirements for IACS security. This standard has been published as ANSI/ISA-62443-3-3 (99.03.03)-2013. It was previously numbered as ISA-99.03.03.

Group 4: Component Provider

ISA-62443-4-1 (IEC 62443-4-1) addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development. ISA-62443-4-2 (IEC 62443-4-2) series address detailed technical requirements for IACS components level. This standard is currently under development.

More information about the activities and plans of the ISA99 committee is available on the ISA99 committee Wiki site. For more information on the activities of the IEC TC65/WG10 committee see the IEC TC65 site.

ISA Security Compliance Institute[edit]

Related to the work of ISA 99 is the work of the ISA Security Compliance Institute. The ISA Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and other control system security standards. They have also created an ANSI accredited certification program called ISASecure for the certification of industrial automation devices such as programmable logic controllers (PLC), distributed control systems (DCS) and safety instrumented

systems (SIS). These types of devices provided automated control of industrial processes such as those found in the oil and gas, chemical, electric utility, manufacturing, food and beverage, and water/wastewater processing industries. There is growing concern from both governments as well as private industry regarding the risk that these systems could be intentionally compromised by "evildoers" such as hackers, disgruntled employees, organized criminals, terrorist organizations, or even state-sponsored groups. The recent news about the industrial control system malware known as Stuxnet has heightened concerns about the vulnerability of these systems.

IASME[edit]
[7] A very recently developed UK-based standard aimed at SMEs.

What is cyber security?

It seems that everything relies on computers and the internet now communication (email, cellphones), entertainment (digital cable, mp3s), transportation (car engine systems, airplane navigation), shopping (online stores, credit cards), medicine (equipment, medical records), and the list goes on. How much of your daily life relies on computers? How much of your personal information is stored either on your own computer or on someone else's system? Cyber security involves protecting that information by preventing, detecting, and responding to attacks.

What are the risks?

There are many risks, some more serious than others. Among these dangers are viruses erasing your entire system, someone breaking into your system and altering files, someone using your computer to attack others, or someone stealing your credit card information and making unauthorized purchases. Unfortunately, there's no 100% guarantee that even with the best precautions some of these things won't happen to you, but there are steps you can take to minimize the chances.

What can you do?

The first step in protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them.

Hacker, attacker, or intruder - These terms are applied to the people who seek to exploit weaknesses in software and computer systems for their own gain. Although their intentions are sometimes fairly benign and motivated solely by curiosity, their actions are typically in violation of the intended use of the systems they are exploiting. The results can range from mere mischief (creating a virus with no intentionally negative impact) to malicious activity (stealing or altering information). Malicious code - Malicious code, sometimes called malware, is a broad category that includes any code that could be used to attack your computer. Malicious code can have the following characteristics:

It might require you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular web page. Some forms propagate without user intervention and typically start by exploiting a software vulnerability. Once the victim computer has been infected, the malicious code will attempt to find and infect other computers. This code can also propagate via email, websites, or network-based software. Some malicious code claims to be one thing while in fact doing something different behind the scenes. For example, a program that claims it will speed up your computer may actually be sending confidential information to a remote intruder.

Viruses and worms are examples of malicious code. Vulnerability - In most cases, vulnerabilities are caused by programming errors in software. Attackers might be able to take advantage of these errors to infect your computer, so it is important to apply updates or patches that address known vulnerabilities (see Understanding Patches for more information). This series of cyber security tips will give you more information about how to recognize and protect yourself from attacks.

Why is it important to remember that the Internet public?

Because the Internet is so accessible and contains a wealth of information, it has become a popular resource for communicating, for researching topics, and for finding information about people. It may seem less intimidating than actually interacting with other people because there is a sense of anonymity. However, you are not really anonymous when you are online, and it is just as easy for people to find information about you as it is for you to find information about them. Unfortunately, many people have become so familiar and comfortable with the Internet that they may adopt practices that make them vulnerable. For example, although people are typically wary of sharing personal information with strangers they meet on the street, they may not hesitate to post that same information online. Once it is online, it can be accessed by a world of strangers, and you have no idea what they might do with that information.

What guidelines can you follow when publishing information on the Internet?

View the Internet as a novel, not a diary - Make sure you are comfortable with anyone seeing the information you put online. Expect that people you have never met will find your page; even if you are keeping an online journal or blog, write it with the expectation that it is available for public consumption. Some sites may use passwords or other security restrictions to protect the information, but these methods are not usually used for most websites. If you want the information to be private or restricted to a small, select group of people, the Internet is probably not the best forum. Be careful what you advertise - In the past, it was difficult to find information about people other than their phone numbers or address. Now, an increasing amount of personal information is available online, especially because people are creating personal web pages with information about themselves. When deciding how much information to reveal, realize that you are broadcasting it to the world. Supplying your email address may increase the amount of spam you receive (see Reducing Spam for more information). Providing details

about your hobbies, your job, your family and friends, and your past may give attackers enough information to perform a successful social engineering attack (see Avoiding Social Engineering and Phishing Attacks for more information). Realize that you can't take it back - Once you publish something online, it is available to other people and to search engines. You can change or remove information after something has been published, but it is possible that someone has already seen the original version. Even if you try to remove the page(s) from the Internet, someone may have saved a copy of the page or used excerpts in another source. Some search engines "cache" copies of web pages; these cached copies may be available after a web page has been deleted or altered. Some web browsers may also maintain a cache of the web pages a user has visited, so the original version may be stored in a temporary file on the user's computer. Think about these implications before publishing informationonce something is out there, you can't guarantee that you can completely remove it.

As a general practice, let your common sense guide your decisions about what to post online. Before you publish something on the Internet, determine what value it provides and consider the implications of having the information available to the public. Identity theft is an increasing problem, and the more information an attacker can gather about you, the easier it is to pretend to be you. Behave online the way you would behave in your daily life, especially when it involves taking precautions to protect yourself.

The cyber security challenge

Major challenges The national security community is wrestling with several tough problems which will take considerable time and effort to resolve. These include: 1. declaratory policy The U.S. government has no official policy publicly communicating what it would or would not do in the event of a major cyber attack against U.S. forces, command and control systems, electric power grids, financial networks, or other elements of military power or critical infrastructure. Should there be a declaratory policy and, if so, what should it stipulate? For example, should we define categories of major cyber attack that are unacceptable, so-called red lines, that would likely trigger a major U.S. retaliatory response? 2. deterrence policy Much of the nuclear age has been marked by refinements of deterrence policy crafted to influence adversarial behavior in irregular, conventional and even nuclear war. Are these concepts applicable to the cyber domain where attribution of the attack is often difficult to ascertain and the range of cyber attack damage can be from the trivial (e.g., slowing email receipt) to the profound (e.g., disabling the nations military early warning systems)?

3. authorities and responsibilities If cyber attacks against U.S. forces or critical infrastructure originate abroad, a response to them would almost surely involve violation of the sovereignty of the state where the attack originated. What is the legal basis for the U.S. to conduct such operations? This is a very thorny problem. Moreover, there is a huge time lag between obtaining appropriate legal authorities (measured often in weeks or months) and the need for national security forces to respond effectively (measured at times in minutes or hours). How can this time lag be most effectively bridged? 4. guarantees of civil liberties The United States is built on a government of laws, not men. But cyber security presents a major tension between the policy and legal communities. Given the difficulty in attributing the origins of cyber attacks, and the possibility that some of these attacks could originate in the U.S. or by American citizens, how do we formulate effective policies that still guarantee the civil liberties of our citizens? Under what circumstances would it be justified for the US government to monitor the cyber communications of U.S. citizens or, if necessary, to degrade or disable these systems? And who and how should these activities be monitored? 5. oversight What is the role of the U.S. Congress in overseeing U.S. cyber activities by the executive branch? Should new committees be formed perhaps a Senate Select Committee on Cyber Operations, for example analogous to how the Congress addresses the oversight of intelligence operations? What type of legislation should the Congress consider that would strengthen, not hinder, U.S. cyber security? 6. international consultations, negotiations and agreements The U.S. is sharing selected information on cyber security with key allies. Should it broaden the dialogue? What types of information should be shared? What should we seek to learn from others, and how can we cooperate? Should the U.S. seek explicit codes of conduct to govern cyber behavior on a bilateral or multilateral basis? Are there advantages to formal treaties, or are they too cumbersome, constraining and difficult to enter into force because of the politicized U.S. Senate ratification process? 7. cross-domain deterrence and responses If the U.S. experienced a major cyber attack, it is not required that the response be in cyber space. What rules should govern the U.S. response that could take a political, economic, diplomatic or military form? Would such actions be seen by potential adversaries as proportional or escalatory? 8. strengthen private sector-government cooperation How can this best be achieved so that the U.S. financial networks, electric power grids and other essential systems that are in private hands remain well protected? Should, for example, the National Economic Council in the White House play an active role in promoting this cooperative activity or should it be left to specific executive branch agencies? We are still in the infancy of understanding cyber security perhaps analogous to the late 1940s in the nuclear age. During the Cold War, it took more than a decade to convince ourselves that we had an understanding of the rules of the road that would protect U.S. national security. Indeed, to this day some critics claim we still dont have it right. We are

thus embarking on an extensive period of analysis, debate and implementation to determine how to make our cyber networks and all that they enable us to do secure. This is an important, exciting and uncertain road ahead, a major new development for U.S. national security policy.

Indian Cyber Security Problems, Issues and Challenges Management

Cyber security initiatives of India have started gaining momentum. However, cyber security initiatives in India in India are still deficient on many aspects. After all, managing Indias cyber security problems, issues and challenges is not an easy task. In these circumstances establishment of the national cyber security database of India (NCSDI) assumes great cyber security significance. The cyber security research and development centre of India (CSRDCI)is also a timely initiative. Undoubtedly, there are many cyber security issues of India that have still been left unattended. The cyber security issues and challenges in India require urgent attention of Indian government as we have already delayed this process. India is facing cyber threats from cyber terrorism, cyber warfare, cyber espionage, etc and we must develop both offensive and defensive cyber security capabilities in India. India is also facing continuous and serious cyber threats that have been endangering the critical infrastructures of India. In these circumstances, there is an urgent need to strengthencritical infrastructure protection in India. We cannot achieve this task without ensuringcyber security skills development in India. Concerns regarding insufficient cyber security in India have been raised for long but the Indian government remained indifferent to cyber security of India for long. However, some committed and dedicated private players have been playing a pro active role in strengthening the cyber security of India. We at Perry4Law, Perry4Law Techno Legal Base (PTLB) and Perry4Law Techno Legal ICT Training Centre (PTLITC) have launched exclusive techno legal Cyber Forensics Research Centre Of India, Cyber Security Research Centre Of India And Cyber Crimes Investigation Centre Of India To Strengthen Indian Cyber Security And Cyber Forensics Capabilities. Another major lacuna in the cyber security field is absence of implementable cyber security policy of India. Till various cyber security declarations and promises are actually

implemented, they are of no use. As on date we have no implementable national cyber security policy of India. Even basic level techno legal frameworks are missing in India. For instance, we have nodedicated cyber security laws in India. We also do not have dedicated encryption laws and regulations in India. Even Legal Framework For Mandatory E-Governance In India And Legal Framework For Cloud Computing In India are missing. The Mandatory EDelivery Of Services In India is also missing. India has to cover a long road in order to make its cyber security effective. It is high time to move beyond declarations and promises as they would not serve any purpose in the present times.

Cyber Security Of E-Governance Services In India Is Needed

Electronic governance (e-governance) is a valuable tool in the hands of Indian government to deliver public services in an economic, transparent and accountable manner. Presently there is no dedicated legal framework for e-governance in India. Similarly, there is no law that can ensure compulsory e-delivery of public services in India. The proposed draft electronic delivery of service bill, 2011 of India is yet to become an applicable law and binding obligation upon central government and state governments. Naturally, e-governance in India is dying and Indian government has to do a good amount of hard work to keep it alive. There are many hurdles before the successful implementation of e-governance projects in India. However, nothing is more dangerous and more worrisome than implementing the e-governance projects of India without adequate cyber security. Cyber security of e-governance projects of India is still not contemplated by Indian government. This can be well understood as when even implementation of e-governance is in poor state one cannot expect safe and cyber secure e-governance services in India. Indian government has recently admitted that it acted very late for drafting the cyber security policy of India 2013. Even the cyber security policy is deficient on many counts. Further, actual implementation of the cyber security policy of India is still to be achieved that would be a mammoth task in the absence of adequate cyber security expertise.

Indian government has been repeating mistakes after mistakes even if it is warned much in advance. For instance, Indian government is adamant on wasting public money on illegal and unconstitutional projects like Aadhaar. After wasting many crores Indian money, it is only now that the Supreme Court of India has declared that Aadhaar card is not mandatory for availing public services in India. Similarly, Indian government is pushing mobile banking without realising its risks and without ensuring sufficient mobile banking cyber security in India. We do not have anymobile payments cyber security in India as on date. Mobile frauds and online banking frauds have increased tremendously and cyber crime conviction rates in India are almost none. India is not ready for mobile governance as on date and even mobile governance and eauthentication in India needs to be ensured. Private banks are implementing online banking related projects in India without any cyber law due diligence and proper project appraisal. Recently, the ICICI bank has launched an initiative titled Pockets that allows transfer of funds through a Facebook account. Initiatives like these are not in strict compliance with the cyber and banking laws of India. The ICICI banks pockets initiative may be insecure and violative of Indian laws. Luckily, the Reserve Bank of India has made the security and risk mitigation measures for card present transactions in India enforceable from 1st October, 2013. This has put the onus of secured card transactions upon banks and they cannot fool the victims customers in this regard. Cyber security in India must be improved so that public services can be better delivered through the mode of e-governance and mobile governance. Similarly, cyber security legal practice must be encouraged and developed in India so that cyber crimes and cyber security related breaches can be properly prosecuted. Indian government is also required to formulate adequate e-governance cyber security policies for India and implement the same in true letter and spirit. Till then relying upon Indian e-governance services, barring few exceptional ones, is a risky proposition and must be avoided.

Cyber Security Policy Of India To Be Released Next Week

The national cyber security policy of India is long overdue. Although the cyber security policy of India has been approved by the Cabinet Committee on Security (CCS) yet its actual implementation is yet to be seen.

India has been facing sophisticated cyber attacks and an effective cyber security policy with robust cyber security law is urgently needed. Presently India lacks on both the counts. But that may not be the situation any more. Indian government is about to announce the National Cyber Security Policy this week. The policy would ensure intervallic review of legislations to meet the challenges from technology upgradation, a think-tank for cyber security policy inputs, greater private participation and international co-operation in the area of cyber security. The policy also intends to develop bilateral and multi-lateral ties to enhance global cooperation among security agencies, law enforcement agencies and judicial system. Under the policy a National Critical Information Infrastructure Protection Centre will work aroundthe-clock to protect critical infrastructure, and designate a national nodal agency to coordinate all matters related to cyber security. The policy aims at creating a capable cyber security work force of five lakh professionals and build cyber security training infrastructure across the country through public-private participation. The policy is also encouraging both private and public organisations to designate a member of senior management as chief information security officer responsible for cyber security efforts and initiatives. The Reserve Bank of India (RBI) has already made mandatory to appoint a chief information officer (CIO) by all banks of India.

Cyber Law Awareness In India

Cyber law awareness in India is still not satisfactory. Neither the general public nor the law enforcement agencies of India are well versed with the cyber law and its applicability in India. The cyber security awareness in India is missing. Even the legal fraternity and judges are not comfortable with the technology related legal issues. Naturally, we have very few cyber law firms in India and cyber security law firms in India. Cyber law in India is incorporated in the information technology act 2000. The IT Act 2000 was amended by the information technology amendment act 2008. Concepts like cyber security, cyber forensics, e-discovery, e-commerce, e-courts, online dispute resolution (ODR), etc are also fields related to cyber law. A very good resource spreading world class cyber law awareness in India can be found here.

At Perry4Law and Perry4Laws Techno Legal Base (PTLB) we have been spreading cyber law awareness in India for almost a decade. We believe that concepts like cyber law due diligence in India and Internet intermediary liability in India must be properly understood by all the stakeholders. In short, Internet intermediary laws in India and cyber due diligence must be duly complied with by all the stakeholders that have a dealing in the cyberspace. For instance, the ecommerce websites dealing with online pharmacies, online gamming and gambling, online selling of adult merchandise, etc are openly and continuously violating the laws of India, especially the cyber law of India. Such violations are happening for the simple reason that cyber law awareness among e-commerce stakeholders in India is missing. PTLB is also managing the exclusive cyber crimes investigation centre of India. PTLB is also managing the exclusive techno legal cyber and hi-tech crimes investigation and training centre (CHCIT) of India. We hope our cyber law awareness initiatives in India would be helpful to all cyber law stakeholders of India.

References

Understanding patches The Comprehensive Cyber Security Initiative

Authors
Mindi McDowell and Allen Householder Mindi McDowell, Matt Lytle, and Jason Rafail