The NetMission Academy’s fourth session on “Cybersecurity, Privacy & Safer Internet” was successfully organized on January 25, 2024. The session ran smoothly thanks to the facilitation of Luke Teoh and Qurra Tul Ain Nisar. The assigned working group presented two case studies: (1) Aadhaar Data Breach (2) The 2023 NIFT Cybersecurity Breach, and also fruitful sharing from our guest speakers on cybersecurity, cybercrime, and safer Internet.
By attending the session, participants can enhance their knowledge of the concepts of cybersecurity, data privacy, and safe internet practices. They will be able to differentiate between these terms and understand related issues such as data breaches, ransomware attacks, etc.
The session started with some brief information about cyber security, privacy, safer Internet, and some practices for digital safety recommendations. And then, 2 case studies about data and cybersecurity breaches were presented by members of working group 4, and some policy questions were raised to discuss.
Case Study 1: Aadhaar Data Breach
The first case study focused on the “Aadhaar Data Breach”, including unauthorized access and compromise of a massive amount of personal and vital information. During the enrollment process for Aadhaar number,815 Million people resident’s demographic and biometric data (including name, gender, date of birth, address, phone no., email ID, fingerprints, etc) were collected. And in October 2023, this significant data was subject to unauthorized access and compromise.
Three root causes leading to Aadhaar data breach were (1) Inadequate Security Measures related to insufficient data protection methods; (2) Insider Threats such as the lack of knowledge and skills from the staff; and (3) Short of Regular Audits, leading to failure to detect potential vulnerabilities timely.The government responded to this problem by focusing on nomination, regulatory reform, updating encryption and more advanced authentication protocols as well as enacting new data protection legislation.
In conclusion, to reduce such attacks, there are some recommendations which are as follows: (1) Continuous Monitoring and Auditing; (2) Encryption and Access Controls; (3) Public Awareness; and (4) Employee Training and Background Checks.
Case Study 2: The 2023 NIFT Cybersecurity Breach
NIFT (National Institutional Facilitation Technology Pvt Ltd) is one of the major stakeholders in Pakistan’s banking infrastructure. Therefore, their data breach had to be addressed without delay to avoid significant compromise of its system.In spite of their rapid reaction, however, terabytes of data were illicitly accessed leading to major consequences. It involved a shift towards a manual cheque-clearing system. The incident exposed the loopholes in digital infrastructures and portrayed possible impacts on national security and critical infrastructure. It reiterated the importance of stringent cybersecurity measures and unceasing vigilance. The effects emanating from this breach were not only limited to cities like Karachi and Islamabad but also extended to other parts that resulted in immediate containment hence the abrupt closure of services. They instantly shut down the service to prevent further compromises as well as fix the mismatches. Furthermore, the things we can learn to avoid such cases are as follows: (1) Importance of Cyber Security, (2) Swift Response (3) Ramifications
Summary of Speaker Sharing
Tatiana Tropina: Cybercrime and Cybersecurity
Tatiana discussed the intricate landscape of cybercrime and cybersecurity, emphasizing the need to consider threats’ diversity. In the event of a data breach, she highlighted the challenge of determining the responsible party, which could be cybercriminals or hacktivists, each with different consequences.
She delved deep into the diversity of threats and talked about the adverse consequences of ransomware attacks where cybercriminals compromise data and demand redemption payments to decrypt the data.
She mentioned various ransomware attacks, such as the Big Dutch Cheese Hack that occurred in April 2021. ,’NotPetya’ in June 2017 which encrypted systems worldwide and resulted in the disruption of various critical services in Europe and the US and the Costa Rica Ransomware Attack in April 2022. She also referenced cyberattacks on US government agencies in June 2023. She then elaborated on international cybersecurity efforts Different nations have varying definitions of cybercrimes, potentially leading to conflicts. Although laws can be a tool to combat cybercrimes, they can also be wielded to restrict online freedoms and human rights, a worrisome prospect. The discussion also touched on concerns about UN cybercrime negotiations.
Pranav Bhaskar Tiwari: Cybersecurity and Cyber-threats
Pranav discusses the complexities surrounding cybersecurity and cyber threats, particularly focusing on end-to-end encryption and its implications. E2EE ensures that messages are readable only by the sender and receiver, offering a high level of security. It’s not limited to personal communications like sharing Aadhaar card details but extends to broader cybersecurity. While securing communications, making them accessible only to the sender and receiver, it also presents challenges. It can be misused for cybercrimes like sharing illegal content, prompting some countries to consider ending end-to-end encryption to prevent such activities. However, this raises concerns about mass surveillance and overall cybersecurity vulnerability, as noted by UNICEF.
He then suggests using metadata for legal surveillance as a potential solution. However, a significant issue is the trust deficit between governments and companies, with neither party fully trusting the other. Building trust is essential for resolving these cybersecurity challenges.
Kenneth Leung: Cross-Border Data Breaches
Kenneth commenced by discussing data breaches, which are characterized as inherently transactional events involving data loss and data leaks. These breaches can occur intentionally or unintentionally, both online and offline, and have implications for contracts and privacy policies within organizations.
He then highlighted data breaches, emphasizing the need for a coordinated response across different jurisdictions to ensure compliance with regulations and protect business and client interests. This conversation delves into questions surrounding data breach notifications, including whether they should be legally binding and how to define a data breach, with consideration for exceptions. It also stresses the importance of adapting data policies to evolving circumstances and the need for businesses to stay flexible in response to changing measures.
Finally, he mentions various business practices in response to data breaches, such as anonymization, the adoption of standards like ISO/IEC 27001:2022, compliance with regulations like GDPR, and engagement with international organizations like ICANN and APEC, all aimed at enhancing data security and mitigating breach risks.
Breakout Group Discussion
This section highlighted the points discussed in each breakout group. Below are the questions explored during the session:
- What forms of regulations are required to adequately protect user privacy on the internet? Is mere creation and adoption of data protection regulations enough?
- How can users be made more aware of cyber security and privacy practices online and how can such practices be ensured and implemented?
- PII data deletion requests are performed with a one-sided trust in organizations to comply, what potential regulations or best practices could we adopt to give users more assurance in the organization’s compliance with their requests?
- What international standards and collaborations are necessary to establish a global approach to data protection, addressing challenges related to cross-border data flow and differences in various jurisdictions’ laws?
Breakout Group 1:
The group discussed the necessity of comprehensive data protection laws as a key focus, emphasizing the need for transparency, informed consent, and rigorous regulations on both software access to hardware permissions and the sale of user data. The importance of future-proofing user rights was also underscored. The discussion then shifted to the significance of two-factor authentication and the role of businesses in prioritizing privacy, highlighting the need for a broader approach beyond mere legal compliance. Creative strategies for raising cybersecurity awareness, such as gamification, were suggested, along with the need for a unified global approach to data protection, noting the limited reach of GDPR outside the EU. The groups also emphasized the importance of organizational compliance with standards like GDPR, suggesting regular audits, transparent reporting, and third-party verification as methods to build trust in personal data handling. Finally, the session addressed the necessity of global standards compliance, calling for international coordination to establish harmonized data protection norms, considering cultural differences, and facilitating cross-border data movement, thereby enhancing the global response to emerging privacy threats.
Breakout Group 2:
The discussions during the session revolved around three key questions related to user privacy and data protection on the Internet.
Firstly, the need for regulations to adequately protect user privacy was emphasized. The group then highlighted the importance of comprehensive data protection laws, clearly defining data responsibilities, and establishing effective user consent mechanisms. Then, the concerns about regulating Artificial Intelligence and the necessity of cooperation for regulations to be effective was raised and the challenge of balancing privacy and data protection.
Secondly, the discussions explored methods to increase user awareness of cybersecurity and privacy practices online. The group then suggested establishing liability for companies dealing with user data and involving them in the country’s jurisdiction and emphasized the importance of education and the need for companies to provide privacy settings in user-friendly languages.
Lastly, the session addressed the necessity of international standards and collaborations for a global approach to data protection. The discussions emphasized the multifaceted nature of data protection regulations, the importance of transparency and cooperation, the need for user education, and the significance of international collaboration to establish a comprehensive global approach to data protection and privacy.
Breakout Group 3:
The group discussed various aspects of internet user privacy and cybersecurity, emphasizing the need for a multi-faceted approach. They highlighted the importance of transparent and enforceable data protection regulations, tailored to specific countries like India, and underscored the necessity of international cooperation in this domain. The group acknowledged that robust data protection laws are crucial but must be complemented with user education and awareness. Balancing individual privacy with safety, especially in the face of government surveillance and data misuse by tech companies, was deemed essential. This balance is particularly relevant in the context of laws like Japan’s Specially Designated Secrets Act.
Furthermore, the discussion pointed out the importance of legal frameworks and organizational compliance in data protection, with organizations like ICANN playing a pivotal role. The role of education in cybersecurity was a central theme, with a focus on informing vulnerable groups, engaging youth, and integrating cybersecurity into educational curricula. The group also emphasized the government’s role in preventing data breaches and the need for public awareness campaigns, especially in countries where awareness of data privacy rights is limited. Finally, the necessity of empowering the public with knowledge about their data rights and cyber threats was highlighted, aiming to create a more informed and resilient online community.
Written by Nawal Munir Ahmad, Aviral Kaintura, and Samra Shakeel