Wednesday, April 9, 2014

Suing the Government

Should a government department, a government official or an elected minister be sued in event of negligence or lack of services which are promised by the Constitution?

Yes, by all means; but taking any such action requires permissions at various levels which includes running hurdles for the investigation team.

This thought has been on my mind for quite some time and was rekindled by this report about an event in the US.http://www.nationaljournal.com/tech/court-upholds-ftc-s-power-to-sue-hacked-companies-20140407So a court recognizes that a government agency can sue anyone for not having security in place.

We are lucky that our IT Act has a similar provision as it expects ‘reasonable’ security to be in place and this is good for all – prosecution and defence lawyers. I say it is good because everyone will have a great time discussing the definition, scope, inclusions and exclusions of the term ‘reasonable security’.

Anyway there are cyber and non-cyber considerations:

First a look at non-cyber considerations – 
a lady alighted from her car and fell into an open drain on Marine Drive day before yesterday. People have fallen into drains, or off trains because the platform is too low; cars have fallen into ditch sized potholes, potholes dot all Mumbai roads and can break your neck or back.
So can we sue the Mumbai Municipal Corporation, the Commissioner, the traffic cops and the local Minister for abetment in a conspiracy to murder/ or for culpable homicide? If the police arrest the husband, and all in-laws, (usually) as abettors, in the unfortunate event of a suicide by a lady, then how is this different from the blind actions of the MMC arising from the indecent state of infrastructure which can kill you at any moment?

Another scenario is when there is a fire and the Fire Department discovers that the absence of fire-fighting equipment – they penalize and take you to court.

Now we take a look at the Cyber scenario – 
In the country CERT empanelled auditor firms are in great demand and there are only 40 / 50 companies which hold the distinction of this honor. The government mandate is that CERT is our cyber protector, and these empanelled agencies are the eyes, ears and hands which will ensure that the Government infrastructure is secure. Inspite of all the brouhaha and strict procedure government websites are defaced and reports are leaked about breaches and hacks in Government departments, banks etc – all those institutions which place blind faith on the CERT empanelment.
The BIG question is – how come no official is kicked out? How come no empanelled company is de-listed? How come there is no public inquiry into such incidents? Why doesn’t the police arrest anyone from any of these audit firms (they did arrest auditors in the Satyam saga)?
Why is no one taken to court for deficiency in their security infrastructure and for deficiency in service?

Why is no one taken to court for paying huge penalties for using pirated software – not a single company or bank has every reported this to SEBI or the bourses. And when the cops advise not to file an FIR are they not abetting the crime being committed by the management.

A shameful event (among many breaches) was the defacement of the CBI website which then remained ‘down’ for more than a month. Did the auditor / webmaster / IT / IS officers and contractors get kicked out and charge-sheeted .. I guess not!

Will this happen when the insurance market matures, or will this happen when the cyber-police department is sufficiently staffed to handle volumes. And with every passing day the volume of crimes is bound to increase.
What is needed is a Data Protection Act, better Governance (corporate or institutional) but we are all chasing a Privacy chimera – maybe this sounds more fashionable.

Someone has to be held responsible – and we all know who has to stand up. Will anyone have the moral and procedural guts to be the change?


Friday, April 4, 2014

WMDs of a different kind

Just when the world is understanding a concept, we can trust the US Government to come up with some brilliant idea that turns the concept on it's head. 

Remember Stuxnet? We were struggling with the viruses in the wild, calling them trojans and malware and all sorts of names and then... boom! Stuxnet rises, cripples Iran's nuclear abs and creates a new lexicon entry - APT. 

Cut to present day disclosures - Cyberwar and cyberterror experts are yet to digest the contents of TAO or PRISM. In fact the most respected people in the war business have (on record) said they do not understand the term "cyberwar". 

Inspite of such disclosures, governments are buying cutting edge tools for doing stuff on their perimeter and outside. Armies of developers are creating cyber-weapons (malware) and letting their inner devils run wild.

No one even thought about creating chaos to bring down a government, except the brilliantly evil brains in the American establishment! 


Read U.S. secretly built 'Cuban Twitter' to stir unrest

No one thought of converting the idea of "Arab spring" into a cyber-weapon! 
Except for the brilliantly evil brains in the American establishment :)

And the concept of cyberweaponry is now turned over it's head. A true blue WMD that can be used to spread disinformation, create chaotic crowds, influence thought or engineer civil strife. And there is the easy way to engineer the downfall of a government.  

The US government used the facade of USAID to set up a twitter-like portal (Zun Zuneo) focused on building a community in Cuba and have used it for a number of self-serving activities. The underlying objective is to influence thought and bring about change by having a democratic government. 

So what does this now do for the world? Increase the level of distrust for all business or things of US origin. 

I mean if Facebook starts a misinformation campaign after setting up about a 1000 or more fake accounts where are we headed. 

How about scaring a whole country (or community) and starting mass migration and polarization on the lines of caste / color / religion / language. 

Or mobilizing flash crowds in every city to chant anti-national slogans creating a law and order situation.

In the last few days we have read disclosures which reported that Google and Microsoft have accessed emails without authorization. The Snowden disclosures are still continuing and have not helped in managing the reputations of any of these global corporations. 

There is distrust all around! And incidents like this from USAID will not help. 

However, we have a new WMD and it has to be developed in stealth mode.