The changing digital business climate in India

Late last month the Indian CERT issued a ruling directed at improving its breach security. The ruling has some big impact in terms of limiting the privacy of its computer users, and how digital business is conducted there. The news has centered around its effect on VPN operators, but the ruling also affects data center providers and “intermediaries,” which could be any ISP or indeed any digital business that has Indian origin. The ruling isn’t final but is supposed to go into effect next month.

— First, businesses must notify the CERT within six hours of any breach or security incident, and provide any system logs that have to be maintained for six months. These incidents are described across a wide collection of situations, including website defacement, identity theft, DDoS, data theft, wholesale port scans and other attacks. The six-hour window is a pretty tight one, and other geographies have much longer notification periods (The EU’s GDPR is 72 hours for example.), and in some cases, businesses may not even know of a breach during that short time period.

— Second, digital businesses must collect log a variety of user data, including valid names, IP addresses, public encryption keys, emails, physical address and phone contacts. CERT requests that any vendor keep these logs for up to five years. The businesses specifically mentioned in the ruling include remote access vendors, VPN operators, cloud providers and data centers. But it could apply to any company that has a bunch of programmers in India, which is certainly a common situation for perhaps most large international companies.

The actual logs are being collected to enable the CERT to reconstruct individual transactions so they can identify the parties involved. That is a tall order, because it assumes that businesses will have to collect a lot more data about their customers than they have done previously.

As you might imagine, this has thrown many businesses into a tizzy, because of the onerous provisions in this ruling. What is curious is that the role of India’s CERT has moved beyond its lane, which is typically the national agency (our CERT which began its operations in Pittsburgh) that handles breach reporting and makes recommendations when they are observing increases in computer attacks.

The five-year log collection period is what I want to focus on. As I said at the top of this post, the news has mostly focused on VPN providers, and indeed they have reacted with some trepidation. Some have said they might have to forgo their Indian operations. “Forcing VPN providers to track user traffic and their private data is going to invalidate one of the last remaining safeguards of personal privacy on the public internet while helping to expose only a handful of lawbreakers,” said Artur Kane, the CMO at VPN provider GoodAccess.com.

The data retention piece of the regulation is also an issue. Part of the issue, as I mentioned in my earlier reviews of VPNs, is that figuring out data retention policies and practices is very difficult, and almost every vendor has problems here. But there is another side as well: “Asking VPN vendors to retain this amount of customer data is without precedent in democratic countries” Kane said.

Many VPN providers have claimed “no logs” as part of their marketing strategies. This is almost as ridiculous and nearly unprovable as their claims for “military-grade encryption.” CNet wrote this piece a few years ago about why you should be so skeptical about these claims — there are numerous types of logs, and numerous ways to collect and dispose of this data. “No matter how much we trust any particular VPN to help mask our internet browsing, it’s virtually impossible to verify whether a VPN truly keeps no logs,” they wrote. I agree. If you want to research this further, read this analysis by Consumer Reports on how many VPNs keep local logs (on your own machine).

While getting better intelligence about cyber attacks is important, the way the Indian CERT is going about this is wrong-headed, and perhaps will prevent many companies from continuing to do business in India.

Network World: Lessons learned from the Atlassian network outage

Last month, software tools vendor Atlassian suffered a major network outage that lasted two weeks and affected more than 400 of their over 200,000 customers. It is rare that a vendor who has been hit with such a massive and public outage takes the effort to thoughtfully piece together what happened and why, and also provide a roadmap that others can learn from as well.

In a post on their blog last week, they describe their existing IT infrastructure in careful detail, point out the deficiencies in their disaster recovery program, how to fix its shortcomings to prevent future outages, and describe timelines, workflows and ways they intend to improve their processes. I wrote an op/ed for Network World that gleans the four takeaways for network and IT managers.

Avast blog: Top MFA myths busted

Today is World Password Day. Ideally, every day you should take some time to improve your password collection, and the best way to do that is to use MFA. But for all of its utility, MFA still has its resistors. If you need some ammunition to fight for its acceptance across your company, we’ll bust a few MFA myths in my latest post for Avast and hopefully help you convince folks to get onboard.

What is the online “town square” and how should it work?

renee direstaThe news about Elon Musk’s intended purchase of Twitter has brought about a lot of hooey and hand-wringing. Here are my thoughts. I first listened to a very interesting interview by ex-White House speechwriter Jon Favereau of Renee DiResta, an expert on tech policy at the Stanford Internet Observatory, whom I have quoted numerous times in the past. She makes the case that Elon has a fundamental misunderstanding of what online free speech means, even ignoring the fact that free speech only applies to governments, not companies. Renee amplifies her piece for The Atlantic that she wrote a few weeks ago, saying that Elon is more about attention than freedom (and who knows if his bid will even go through). “Free expression should be a foundational value,” she wrote. She also makes the case that all online social media products moderate their content – and most do so reactively, inconsistently or clumsily or all three. This includes Truth Social, Gettr and Parler, just to name some of the more notable “free speech” ones. (The hyperlinks will take you to their community guidelines for your future reference.)

Suzanne Nossel, the CEO of the writers’ group PEN America, writes that “Musk will learn the hard way that there is no return to a mythic online Eden where all forms of speech flourish in miraculous harmony.” However, she agrees with him (and others) that our current content moderation methods are deeply flawed. If you haven’t learned the words “shadow banned” (where followers are deleted without telling them from your social accounts) or retconned (officially sanctioned revisionist history), you will hear them more often during these discussions.

So what is the solution? DiResta and others penned this piece in SciAm, suggesting that social media companies need to become more transparent. “The only way to understand what is happening on the platforms is for lawmakers and regulators to require social media companies to ​provide researchers and others access to data on the structures of social media, like platform features and algorithms​.”​ PEN’s Nossel is also for more transparency. She suggests that more moderation is essential to prevent spammers, trolls, and other quackery from taking over social media and that “robust content moderation is here to stay,” especially to try to stem the tide of false positive takedowns of content and users. For example: TikTok restores more than 1M videos each month after initially removing them for violations. Of course, they allow millions more to be posted to their site. But still, that is an awful lot of content to judge.

I think there is a bigger question that many of the commentators aren’t really addressing: do we really want an online town square? The comparison doesn’t really work when millions of people are shouting to be heard, or in places in the world that are under the grip of authoritarians. It very quickly devolves from the marketplace of ideas to mob rule. DiResta spoke about the “high harm areas of online that are worth moderating,” which is a good way to look at this, especially given the absence of facts being spewed there and how they are amplified and become part of the conversation offline.

Avast blog: The U.S. government wants to expand the use of social media for visa vetting

For the past several years, millions of foreign visitors and potential immigrants entering the US have divulged the contents of their social media accounts to the US Department of Homeland Security (DHS). This requirement is part of the Visa Lifecycle Vetting Initiative (VLVI) that began in 2014 and has been expanded in 2019.

You can read more about the evolution and dangers of this program in my post for Avast’s blog here.

Avast blog: Obama on strengthening our democracy and reforming social media

Last week, Barack Obama delivered a keynote address at an event, “Challenges to Democracy in the Digital Information Realm”, co-hosted by The Stanford Cyber Policy Center and the Obama Foundation. He discussed the role of government in online technologies, the relationship between democracy and tech companies, and the role of digital media to elevate authoritarian rulers. He touched on the point that we all now occupy entirely different media realities that are fed directly into our “personal information bubbles” of our smartphones.

You can read my post for Avast’s blog here to see what else he had to say to this audience and what he recommends we do to fix social media to make it better for democracy.

CSOonline: How to choose the best VPN for security and privacy

Enterprise choices for virtual private networks (VPNs) used to be so simple. You had to choose between two protocols and a small number of suppliers. Those days are gone. Thanks to the pandemic, we have more remote workers than ever, and they need more sophisticated protection. And as the war in Ukraine continues, more people are turning to VPNs to get around blocks imposed by Russia and other authoritarian governments,

A VPN is still useful and perhaps essential to a modern mostly remote workplace. In this post for CSO, I describe these scenarios, what security researchers have found about how VPNs leak data or have other privacy issues, and what you should look for if you intend to deploy them across your enterprise.

FIR B2B podcast episode #156: Time to talk about the Twitter

Paul and I have been on Twitter for 15 years. While we were some of the first business tech journalists to use it, we have also spent a considerable amount of time investing in the care and cultivation of our accounts, and Paul has written several books about social media marketing. Even before the circus called Elon came to the Twittersphere, we had planned to devote a podcast to discussing whether Twitter can thrive in the era of constant outrage or whether it is destined to be another Myspace.

A couple of interesting sources informed this discussion, including Jon Faverau’s interview with Twitter Co- founder Ev Williams, in which Williams recounts some of the early decisions that drove Twitter’s architecture and news orientation. There was also this piece by Jonathan Haidt in the Atlantic on how the past decade of our lives have been influenced by social media and especially how the retweet function has driven misinformation and disinformation. Haidt believes social media has weakened the intrinsic trust that we place in each other.

While Elon’s dreams of a truly open source and “inclusive arena for free speech” might be taking Twitter down the wrong path, there are still many reasons for B2B marketers to use the network as long as they are authentic, can stick to their knitting and promote longer forms of content such as blogs and, yes, podcasts and videos. Just remember to stay in your swim lane.

You can listen to our 17-minute podcast here:

Avast blog: Introducing important changes to credit card data security standards

The Payment Card Industry Data Security Standards (PCI DSS) organization has made a series of updates to its standards with its latest version 4.0. It contains several important improvements, perhaps the most important change is the expansion of encryption and MFA requirements to protect all accounts that have access to cardholder data. I describe these developments in my post for Avast’s blog here.