New Delhi: The government plans to build a legal framework for cyber security standards amid rising cyber attacks and privacy breaches.
The ministry of electronics and information technology (Meity) conducted an internal meeting with officials on 14 August to brainstorm on global practices in cyber security, requirements to create a cyber security standards framework in India, options of legal framework, security testing capabilities, and present data security status of devices, according to two people familiar with the matter. The meeting was presided by Union law and IT minister Ravi Shankar Prasad and minister of state for electronics and IT, P.P. Chaudhary.
The government is also likely to introduce provisions for stricter surveillance, according to a person aware of the matter.
Ajay Kumar, additional secretary, Meity, said that the issues “around data need to be addressed in a comprehensive manner for which data protection law is being drafted".
“We want to make sure that citizens’ rights are protected and their data is not wrongfully taken away. We want to make sure that any data pertaining to strategic issues of the country is not compromised. with," Kumar said.
Currently, some of the laws such as BIS Act, Indian Telegraph Act, and IT Act offer legal frameworks in one way or the other. For example: BIS Act has a working group on information security and biometrics and it has adopted other security standards, typically with a lag.
“However, no cyber security has been mandated under this act," said the first person quoted in the story.
Similarly, Indian Telegraph Act mostly talks about security guidelines under the telecom licensing terms and conditions and the IT Act, which was amended in 2008, talks about dealing with any sensitive personal data or information in a “computer resource".
The ministry is of the view that there are international standards that exist on the issue and “there is a need for legal framework to demand compliance to security standard", the first person said.
The government is believed to have discussed data leakages, which happened in the cases of Chinese companies Shanghai AdUps and Alibaba-controlled UC Browser.
Kryptowire, a security firm operating out of the US and Canada, said that Shanghai AdUps has a backdoor in the firmware that had sent massive data about mobile phones and their users to servers in China, which was admitted by the company later.
Firmware means permanent software programmed into a read-only memory. Security and privacy issues at Alibaba-owned UC Browser were also discussed during the 14 August meeting. In May 2015, Citizen laboratory in the University of Toronto found that the Chinese version of UC browser leaks information, unlike the English version. Its data leaks included: user and device identifier data, and location data to a remote server.
Meity’s decision to ask 21 smartphone makers to share details of security of handsets and UC browser to share security details is an outcome of the 14 August, said the first person quoted in the story.
“So far, we have asked 35 smartphone companies and asked them to submit process and procedures on security of handsets," Kumar of Meity said.
The first person also said that the government will soon ask the makers of Internet of Things (IoT) devices and set-top boxes to submit their security details.
The ministry is of the view that WiFi routers and IP cameras are using default settings that are vulnerable, while in case of set top boxes, the prevalence of Chinese Conditional Access System is leading to “potential vulnerability".
“The foreign CAS company can potentially shut down the services for a particular channel in a particular geography. The channel could be used for communication by negative elements," the first person quoted above in the story said.