Welcome to MediaNama’s Live Blog from Nullcon 2019. Please note that quotes may be paraphrased for brevity and speed.

Student hackers at work

Notes from the Keynote panel: “Hacking Elections for Fun & Profit: Disinformation & Cognitive Cyber Offence”. Moderated by Pukhraj Singh (PS), cyber threat intelligence analyst, with participation from Eva Galperin (EG), Director of Cybersecurity at the Electronic Frontier Foundation; Hariprasad Vemuru (HV), Tech Advisor to the Government of Andhra Pradesh, and Anand Venkatanarayanan (AV), security researcher.

  • PS: Cognitive cyber offence is the next level of warfare… you’re being manipulated at this point. We define the boundaries of discourse.. somethings aren’t talked about outside of this window… hackers exploit this open window.. you want an extreme narrative within this discourse… when it is amplified on social media, it is stretched to the extreme. India faced cognitive cyber offence.. Extreme narrative has become mainstream (in the media)
  • PS: Fact checking doesn’t work… “lies travel faster than truth”… intermediaries arent going to help us. The false positives are too high… in a ML way..
  • PS: A person’s social structure always remains the same… its easy to figure it
  • EG: I’m gonna disagree with PS.. Info warfare is not new and it is not all powerful… its just trying to get people to do what you want them to do.. activism is just trying to sell something that isnt gross… and for me that was digital civil liberties… its bullshit that we don’t have free will and an aware brain.. the idea of info warfare is powerful, comforting and tempting, but it is not true.. its really easy to shift the blame to other people..
  • EG: I moved from the Soviet Union as a child.. and my parents continued to subscribe to the Soviet government paper Pravda, and it was full of lies.. I go out of my way to read and analyse government propaganda to this day…
  • EG: Info warfare is powerful as a tipping point. When you’re dealing with an unprepared society, info warfare campaigns can be very helpful… like with looming elections.
  • PS: I disagree with EG.. We’ve become programmable entities..

  • AV: Andhra Pradesh was at the centre of the disinformation campaign… (Aadhaar and state expenditures).. and it worked.. and the cognitive attack surface was, “who the f are you?”.. I was going up against known people…
  • AV: The Indian population falls for grand narratives.. the government had very particular voter data.. their caste, who they voted for… so whats the precise WhatsApp message we should send them? This is beyond Cambridge Analytica… I’ve seen campaign dashboards by political entities.
  • HV: (on SRDH, Seva Mitra – used for election intelligence, we just want to understand if they’re being influenced by social media etc) To win a war is not easy… but may everybody doesn’t believe that. Before 2014, a door to door survey was done.. the voter list is also mapped periodically..
  • HV: People are being navigated to information.. ‘convince them or confuse them’… election hacking is very small, people’s minds are being hacked.. in infosec, you need a guinea pig.. and the government is doing it.. people ho know dominate the people who don’t know. The rural population doesn’t understand the security part of it..
  • HV: The more you try to close a voting machine, the more people will try to fudge it…. in elections we fight for verifiability and accountability.. you don’t need to hack polling booths to get swing votes.
  • PS: ‘Diversity beats audacity’ when it comes to info warfare… homogeneity is more prone to being hacked..

*

On “Legal & Policy” by Ramanjit Chima, Asia Policy Director, Access Now

  • Indian cybersec challenges are that there are too many government organisations.. and sometimes complicated set of institutions.. sometimes even the parliamentarians and lawyers who follow this get confused.
  • The Draft Encryption Policy which came out a few years ago.. needed a plain text requirement with the government agency…. this was withdrawn in a couple of days.
  • Who was consulted with before this policy was drafted? Not infosec professionals..
  • Under the Tech Act, the government can ask you to decrypt information… and something that you can’t decrypt, and that’s of concern.. they can also set regulations regarding this.
  • There’s no privacy of the data protection issue… ‘there’s no fundamental right to privacy’.. was clarified.
  • The GoI took public comments on the Sri Krishna report.. which issued a report, and a draft bill.. which the GoI said it would take to the parliament… The privacy and data protection bills may or may not come out after the elections.
  • India doesn’t have a clear federal data protection regime.. plus the second biggest internet user base in the world.
  • Currently, if you’re an intermediary, the Indian laws say that you’re not responsible for what’s hosted on it.. if I were criminally liable for the content, most companies are risk averse and would self censor… the current proposition is the intermediary liability rules… fairly controversial… people have said that this shouldn’t be done through regulations.
  • These topics will be discussed in the Lok Sabha in June-July.
  • As infosec professionals, you need to think about what really is the Cyber security strategy… Policy for the country.
  • Its a good time to have a cybersecurity strategy for the country.. and this isn’t a country but an international issue.
  • We still don’t know the Indian government’s stand on this issue yet.
  • … Policy is politics..
  • We are a genuine democracy.. and what you say will drive (policy) developments..

*

At Nullcon’s closing address