The fourth meeting of the Cyber Patriot Task Force, focused on Cyber Security was held on the 29th June 2019 at the Constitution Club of India, New Delhi. CISOs from banks, governments, services, MNCs and etc. participated.
Following is the list of attendees:
- Dr Anupam Saraph, Professor, Symbiosis Institute of Computer Studies and Research
- Professor Anjali Kaushik, MDI-Gurgaon
- Mr A G Giridharan, Deputy General Manager, Reserve Bank of India
- Mr A Ganesh, COO, Airtel Payments Bank
- Ms Anjana Dube, DDG, Department of Financial Services, Ministry of Finance
- Ms Aparna Kuppuswamy, Chief Risk Officer & Executive Vice President, SBI Card and Payment Services Pvt Ltd
- Dr Balsing Rajput, Superintendent of Police (Cyber), Maharashtra
- Dr Gulshan Rai, Former National Cyber Security Coordinator & Distinguished Fellow, SKOCH Development Foundation
- Mr Mannan Godil, Associate Director & Head - Information Security, CISO, Edelweiss Assest Management Ltd
- Mr Manu Verma, IBM Security - Trusteer (India/South Asia)
- Mr Prashant Gupta, Partner, Grant Thornton India LLP
- Mr S S Sarma, Director, Indian Computer Emergency Response Team (CERT-In)
- Mr Sanjeev Kumar Gupta, Chief Manager (Information Security Operations), State Bank of India
- Mr Sanjivan Shirke, Chief Information Security Officer, UTI Mutual Fund
Digital Payments are becoming ubiquitous. They either underlie or overlap every service transaction that we undertake. While this enhances productivity and convenience, it also creates a large number of security and privacy issues. Recently RBI working papers have referred to Distributed Ledger Technology (DLT), while strengthening the system, there are implementation issues such as interoperability and who would be the partners in the trusted ecosystem.
Technologies of the future are leading to trade battles with data being the key resource. Such a strategy would also need to take note of quantum computing developments that are around the corner.
The India Strategy would need to take stock of global developments across Blockchain, 5G, Artificial Intelligence (AI) and Quantum Computing and other technologies. The risk vs. reward of their implementation must be determined.
Session 1: Regulatory Landscape on Cyber Security
- Baseline approach: All regulators must have a common minimum baseline of regulations that apply across industries when it comes to digital systems. These baselines will ensure that there’s no ambiguity in regulations and all stakeholders comply without alluding to convenient interpretations of the guidelines.
- Sectoral regulations: Apart from basic baselines, the regulators need to study their sectors well and come up with specific, holistic and relevant regulations which apply to their sector to ensure that ring-fencing is proper and sturdy.
- Super regulator: There is a potential need for a super-regulator which looks at all things cybersecurity from an industry perspective and issues guidelines from time to time on compliance. Apart from this, the super-regulator can also ensure timely response in events of distress and attacks while also maintaining a reliable database of potential culprits and bringing them to task.
- Chain of command: In just the digital payments space, there’s RBI regulations, the data protection bill, the IT Act, SC directives and other corporate laws framed by the ministries from time to time. A clear chain of command needs to be established on the relative primacy of these laws.
- Absolute authentication: Two factor authentication doesn’t work, OTPs are prone to hacking and biometrics have latent dangers of identity theft. In this scenario, there’s a need for a fresh look at the authentication protocols and the financial sector, at least, must come up with a competent and stable solution to solve the authentication problem which doesn’t rely on anonymization (like UPI) or restricted access (like biometrics).
Session 2: Securing Payments
- Straightening blockchain: While RBI has banned cryptocurrency, it has largely remained silent on the use of blockchain for financial transactions. Meanwhile, two large private banks have already moved their trade financing functions to indigenously developed blockchains. NITI Aayog is working on multiple such projects and the lack of clarity around India’s stand on the technology is not only hurting existing businesses but stifling innovation in this are. The government must make it clear the scope and specifications for using blockchain in the country.
- Monitoring grievances: In the current policy environment, the existence of multiple regulators ends up diluting control rather than strengthening it. The governance piece goes missing from payment systems often and it’s usually the law enforcement that’s left holding the bag when the dust settles. There’s a need for agile regulators which focus on specialised areas of the economy and work to promote innovation instead of stifling it.
- Interoperability: By design, blockchains are not supposed to communicate with each other. If money starts flowing through such platforms, the walled garden problem will be back for us to face only in a more decentralised avatar which is harder to tame. The policy framework must determine the preconditions for using blockchain and specify the amount of transparency that’s needed in the system before more good money is thrown after bad.
- Regulatory sandboxes: When there’s a lack of clear instruction prohibiting their use, firms often assume that a certain technology is available to their use. Regulatory sandboxes must be launched at priority to enable innovation and testing in a safe environment where the stakes are low and technologies can be properly evaluated before being launched to the public.
- Rethinking financial systems: While it might be too late to fix UPI or Aadhaar Pay by design, the technology czars need to get back to the drawing board and apply rules of basic finance and economics while coming up with new ways to pay. Cost-benefit analysis need to be undertaken such as latency, failure rate, fraud possibilities before designing a new product which further upends the payer-payee relationship.
Session 3: Cyber Policing
- Centralised repository: All fraud events, actual or potential, need to be mapped along with the person’s details, phone numbers and bank accounts in a central repository accessible to all financial market players. This can also be used as a preventive blacklist which will help curbing crimes before they happen and ring-fencing the financial system from fraudsters.
- Data sharing: Telecom companies should mandatorily share their suspected spam analysis reports with financial regulators, at least, if not the players to ensure that all such persons who operate multiple SIM cards with a malicious intent or use telecom networks to make phishing attempts are within the purview of the law enforcement agencies.
- Velocity checks: Even though the RBI has some regulation around checking velocity of transactions in order to detect fraud, these need to be upgraded and updated to include different kinds of non-financial acts such as opening multiple bank accounts, sending UPI collection requests and transacting on international sites where two factor authentication is not mandatory.
- Bank integration: Banks who suffer any kind of financial fraud or misdoing incident must report it on a common portal after anonymising the data in order to improve intelligence sharing within the sector. This can be done through an RBI mandate specifying the periodicity.
- Taking away reputational risk: Financial sector participants which claim to suffer from reputational risk for reporting crimes should be assured anonymity and provided incentives for increased reporting. RBI and SEBI should ease the disclosure norms and make it easier for companies to report crimes without having to necessarily disclose it to the public at large, at least, until the crime is solved.