Showing posts with label NDAA. Show all posts
Showing posts with label NDAA. Show all posts

Wednesday, July 1, 2026

Become a Cybersecurity Expert in 2026?

How to Become a Cybersecurity Expert in 2026? 

In the swiftly changing realm of cybersecurity, the significance of experts has never been more crucial. As we enter 2026, the demand for skilled professionals safeguarding our digital realm continues to soar. This guide is your roadmap to mastering the intricacies of cybersecurity and establishing yourself as an authority in the field. By understanding the basics, pursuing relevant education and certifications, and staying informed about emerging threats, you can embark on a journey to become a cybersecurity expert. With hands-on experience, specialization in niche areas, and a commitment to ethical practices, you’ll possess the tools to navigate the ever-changing challenges of the digital security terrain effectively. Join us in unraveling the path to cybersecurity expertise in the year 2026.

Securing video surveillance systems is critical, as network-connected cameras are prime targets for cyberattacks that can expose sensitive, real-time footage or enable DDoS attacks. Effective protection requires robust cybersecurity measures, including encrypted transmission (TLS 1.3), regular firmware updates, strict authentication, and secure, often cloud-based, management software to prevent unauthorized access and data breaches.

Key Cybersecurity Risks in Video Surveillance

·        Unauthorized Access: Hackers can gain access to live camera feeds, compromising privacy.

·        Data Manipulation/Theft: Attackers may delete or steal recorded footage.

·        Botnets and DDoS Attacks: Vulnerable cameras can be recruited into botnets to launch Distributed Denial of Service (DDoS) attacks.

·        System Shutdown: Attackers can turn off surveillance, leaving sites unprotected.

Who is a Cybersecurity Expert?

A cybersecurity expert is a skilled professional proficient in safeguarding digital systems, networks, and data. They analyze and mitigate cybersecurity risks, implement robust defense mechanisms, and stay updated on evolving threats. Proficient in ethical hacking and secure solution development, they formulate strategies to protect sensitive information. Their role spans programming, network security, incident response, and risk management, which is crucial in fortifying digital infrastructures against ever-evolving cyber threats.

Different Types of Experts

1. Red Team: The red team, or ethical hackers, actively seek network vulnerabilities, simulating real attacks to identify weaknesses and enhance defenses, contributing to a more robust cybersecurity posture.

2. Blue Team: The blue team acts as the defense force, monitoring systems, detecting and investigating threats, and implementing security measures to safeguard organizational assets against cyber attacks.

3. Digital Forensics Experts: Digital forensics experts gather and analyze digital evidence post-cyber attacks, reconstructing events to aid investigations. They play a crucial role in uncovering insights and supporting the resolution of security incidents.

4. Security Architects: Security architects concentrate on designing and implementing secure technology infrastructure, considering technical and organizational cybersecurity aspects. Their role involves creating robust systems to ensure comprehensive protection against potential threats.

5. Threat Intelligence Analysts: Threat intelligence analysts monitor dynamic cyber threats, analyze attack patterns, and provide insights to shape proactive defensive strategies. They ensure organizations stay ahead of potential adversaries. Their role involves staying vigilant and informed to enhance cybersecurity preparedness.

Cyber Security Expert Skills

1. Technical Proficiency: Adapting an understanding of fundamental security principles such as cryptography, network security, operating systems, incident response, and threat detection establishes a foundational solid expertise. This mastery serves as a cornerstone for effective cybersecurity practices.

2. Specialized Expertise: Specialized expertise in Red Team penetration testing or Blue Team defense showcases a nuanced understanding of cloud security, forensics, or threat intelligence, illustrating a tailored and in-depth proficiency. This specialization enhances effectiveness in addressing specific cybersecurity challenges within the chosen domain.

3. Scripting and Automation: Efficient utilization of scripting languages such as Python or Bash enables task automation, streamlines processes, and optimizes overall efficiency in cybersecurity operations. This proficiency empowers professionals to automate repetitive tasks, allowing for a more agile and responsive security environment.

4. Adaptability and Continuous Learning: Demonstrating adaptability and the capability to comprehend emerging technologies like cloud security, AI/ML in security, and blockchain security reflects a steadfast commitment to staying informed in the dynamic cybersecurity landscape. This commitment ensures ongoing relevance and effectiveness in addressing the evolving challenges within the field.

5. Tool Proficiency: Proficiency in employing security tools like SIEM, IDS/IPS, vulnerability scanners, and incident response platforms showcases an adept utilization of technology for implementing thorough security measures. This expertise enhances the ability to monitor, detect, and respond effectively to potential cybersecurity threats.

How to Become a Cybersecurity Expert in 2026?

1. Build a Solid Foundation:

Establish a strong foundation for your cybersecurity journey by acquiring a bachelor’s degree in computer science, information security, or a related field. Alternatively, gain essential knowledge through online courses or boot camps. Focus on mastering fundamental concepts such as cryptography, network security, operating systems, and incident response. Validate your understanding with CompTIA Security+ and CEH certifications, ensuring a solid educational groundwork for your cybersecurity expertise.

2. Choose Your Specialization:

Select your cybersecurity specialization based on your preference: engage in vulnerability hunting as a hacker with the Red Team or defend systems against attacks as part of the Blue Team. Each path demands distinct skill sets and certifications tailored to your chosen role. Additionally, consider emerging areas such as cloud security, threat intelligence, and digital forensics, researching certifications to align with your interests and career goals.

3. Refine your Practical Cybersecurity Skills:

Hone your practical cybersecurity skills by engaging in hands-on experiences with online labs and virtual machines and Capture the Flag (CTF) competitions on platforms like HackTheBox and VulnHub. These environments provide challenging scenarios to test and enhance your abilities. Additionally, contribute to open-source security tools and projects to gain valuable real-world experience, establishing a robust portfolio that showcases your hands-on expertise in the field.

4. Network and Stay Updated:

Stay connected and updated in cybersecurity by actively engaging with the community. Participate in online forums, attend conferences, and connect with professionals to gain insights and stay ahead. Embrace continuous learning as the industry evolves swiftly; regularly peruse security blogs, news, and research papers to stay well-informed about the latest threats and vulnerabilities. This proactive approach ensures that you remain abreast of industry trends and developments, contributing to your effectiveness as a cybersecurity professional.

5. Certifications Can Boost Your Resume:

Enhance your resume strategically by selecting certifications that align with your chosen specialization, emphasizing industry-recognized credentials. While certifications validate your knowledge and commitment, remember that they complement expertise, not a substitute. Foster a dedication to continual learning. Progress your career by pursuing advanced certifications to stay informed on the latest developments, reinforcing your professional advancement. This strategy guarantees a versatile and constantly evolving skill set.

 

Cyber Security Expert Salary in India

Cyber Security Analyst:

Experience

·        Entry-level: ₹4.7 Lakhs – ₹6 Lakhs

·        Mid-level: ₹6 Lakhs – ₹8 Lakhs

·        Senior-level: ₹8 Lakhs – ₹10 Lakhs

Skills and Certifications:

·        Specialized skills like penetration testing, cloud security, or threat intelligence can increase salary by 10-20%.

·        Relevant certifications like CISSP, CISA, or CEH can boost pay by 10-20%.

Cyber Security Engineer:

·        Low end: ₹5.0 Lakhs per year Approx

·        Average: ₹7.3 Lakhs per year Approx

·        High end: ₹15.0 Lakhs per year Approx

Skills and Certifications:

Specialized network security, cloud security, or security architecture skills can significantly boost your salary. Relevant certifications like CCNA Security, CEH, or CISA can also increase your earning potential by 10-20%.

Cyber Security Consultant:

·        Low end: ₹6.0 Lakhs per year Approx

·        Average: ₹11.2 Lakhs per year Approx

·        High end: ₹24.0 Lakhs per year Approx

Skills and Certifications:

Specialized skills like penetration testing, incident response, or threat intelligence can significantly boost your salary. Relevant certifications like CISSP, CISA, or CEH can also increase your earning potential by 10-20%.

Cyber Security Associate:

·        Low end: ₹2.5 Lakhs per year Approx

·        Average: ₹6.1 Lakhs per year Approx

·        High end: ₹14.0 Lakhs per year Approx

Skills and Certifications:

Specialized skills in specific areas, such as security awareness training, vulnerability management, or essential incident response, can boost your salary. Relevant certifications, like CompTIA Security+ or CEH, can also increase your earning potential by 10-20%.

SOC Analyst:

·        Low end: ₹3.0 Lakhs per year Approx

·        Average: ₹5.1 Lakhs per year Approx

·        High end: ₹8.0 Lakhs per year Approx

Skills and Certifications:

Specialized skills in intrusion detection systems (IDS), security information and event management (SIEM) tools, and incident response procedures can boost your salary. Relevant certifications like Security+, CEH, or CISSP can also increase your earning potential by 10-20%.

Penetration Tester:

·        Low end: ₹4.5 Lakhs per year Approx

·        Average: ₹9.3 Lakhs per year Approx

·        High end: ₹18.3 Lakhs per year Approx

Skills and Certifications:

Specialized skills in different types of penetration testing (web application, network, social engineering), knowledge of vulnerability assessment tools, and experience with coding languages like Python can significantly boost your salary. Relevant certifications like OSCP, CEH, or GPEN can also increase your earning potential by 10-20%.

ISO 27001 is the premier international standard for Information Security Management Systems (ISMS), providing a framework to manage risks to data confidentiality, integrity, and availability. It assists organizations in establishing, implementing, monitoring, and maintaining security controls, transitioning from ad-hoc security to a structured, risk-aware approach.

Key Aspects of ISO 27001 for Experts:

·        Not Just Technical: It is primarily a management standard focused on Governance, Risk, and Compliance (GRC), requiring policies, procedures, and personnel vetting in addition to technology controls.

·        Risk-Driven Approach: It mandates identifying, assessing, and treating risks tailored to the organization's unique assets.

·        2022 Update: The latest version (ISO/IEC 27001:2022) focuses on Information Security, Cybersecurity, and Privacy Protection.

·        Benefits: Certification builds trust, ensures legal compliance (e.g., GDPR), and significantly reduces the probability of security incidents.

The Role of a Cybersecurity Expert in ISO 27001:

·        Gap Analysis: Assessing current security measures against ISO 27001 requirements.

·        Risk Management: Developing the Statement of Applicability (SoA) and risk treatment plans.

·        Implementation & Audit: Implementing controls (Annex A) and conducting internal audits to ensure compliance.

·        Maintenance: Continuously improving the ISMS to handle evolving threats.

The Intersection of Physical and Cyber Security

Modern surveillance, particularly AI-enabled systems, serves as a high-value target for hackers, making cybersecurity a mandatory aspect of physical security management. Protecting surveillance data is also critical for compliance with privacy regulations like GDPR, ensuring that personal data captured is not compromised.

1. What responsibilities do manufacturers of surveillance technology have, both at the hardware and software level, to ensure that their products meet cybersecurity standards?

The manufacturer's responsibility arises from the end customer's perspective. They must consider the entire value chain, including upstream suppliers. And with regard to physical security – and this naturally includes surveillance components – one thing is very important: network-based video security products for physical security (e.g. for perimeter protection, building protection) must not jeopardise the “other”, complementary security of the CRITIS operators, namely IT and cybersecurity. Video surveillance cameras and systems must not be a gateway into the customer's IT network or OT network.

As a European manufacturer of video surveillance devices, we have voluntarily and proactively taken on our corporate responsibility even before and beyond legal regulations such as the EU NIS-2 Directive and the Cyber Resilience Act (CRA). The “Security by Design” guidelines set out in the EU-GDPR provide decisive guidance for manufacturers and users. We see that end customers are therefore increasingly asking for products and solutions that meet these criteria and are “Made in Europe”. NDAA compliance – although not officially relevant in the EU – is also often used as a quality criterion.

Consider the entire supply chain. Ensure that CRITIS upstream suppliers comply with “security and privacy by design” principles. “Made in Germany” and “Made in Europe” are once again increasingly in demand as a seal of quality, security and trust. Additionally, network-based video security products for physical security, such as perimeter protection and building protection, must not compromise the complementary security of CRITIS operators, namely IT and cybersecurity.
Photo credit: Dallmeier

2. When looking for a suitable surveillance solution, what should customers and users look for? What expectations should they have of manufacturers, their installers and integrators, and what cyber responsibility lies with the users themselves?

When selecting manufacturers and integrators, it is advisable to carry out a thorough manufacturer check in advance to ensure that the products offer the highest level of technical cybersecurity and meet the requirements for physical security. This includes assessments, tests and proof of cyber conformity. Furthermore, products should comply with the “Security by Design” and “Privacy by Design” principles of the EU-GDPR. Legal compliance in accordance with European directives and national laws (NIS-2 | RCE | CRA) is equally important. Legal compliance also means that the solutions actually offer adequate physical protection according to the technological “state of the art” and that the supply chain fulfils the security criteria. Cyber- and ethical aspects of the manufacturer and its country of manufacture must be checked, particularly with regard to authoritarian third countries. In the case of the latter, it is not only a question of possible gateways, but also of keeping an eye on a possible current or future influence by official bodies such as secret services to request access to systems. Validated references and proof of expertise in physical security and cybersecurity should be obtained and it is advisable to carefully check the extent to which the manufacturer has tested both dimensions of resilience together.

3. Many users, especially individuals and small businesses, may not immediately realise why cybersecurity should be an issue when using surveillance solutions. What would you recommend to explain the risks and raise awareness?

Cybersecurity in the use of surveillance solutions is an often underestimated but extremely important issue. Nowadays, cameras, workstations and recording systems are almost always connected to the internet as they act as “IoT” devices. This means that they are just as vulnerable to cyberattacks as any other networked system. To make the risks clear and sensitise users, we recommend creating permanent awareness for risk analysis, cybersecurity and cyber hygiene. This includes regular training and education.

Appropriate technical and organisational measures (TOMs) help to ensure cybersecurity. This includes complying with the “state of the art” and ensuring the security of the supply chain. Security measures should be taken when purchasing, developing and maintaining IT systems and components in order to avoid disruptions to availability, integrity, authenticity and confidentiality. It is also important to ensure that they are used as intended and to install regular security updates.

It is particularly important to raise risk awareness among users and executive management. We therefore recommend raising awareness of the high priority of cybersecurity and preparing for the law. For example, by highlighting high-profile cases that could cause monetary and reputational damage, up to the worst-case scenario of jeopardising business continuity or bankruptcy. It is also helpful to point out the stricter liability rules for management and the threat of fines under NIS-2, RCE and regulations and directives such as the GDPR (Security by Design) or the US NDAA.

4. The popularity of cloud-based surveillance technology continues to grow. What are the potential risks of relying on external service providers? Or are cloud services perhaps even more cyber secure as cloud providers place more emphasis on security? What cybersecurity issues should users consider when using cloud services for surveillance?

In our view, the success and global acceptance of cloud technologies and cloud applications is confirmation that companies and users have established and gained a certain basic trust in the cloud. And yes, in our view, cloud providers can invest more in security technologies and also provide professional personnel expertise than the customer or the medium-sized or large company itself. In general, both cloud and on-premise operations must comply with the appropriate technical and organisational measures in terms of cybersecurity in accordance with industry standards. The greatest risk is often the user or the person themselves, regardless of whether cloud or on-premise. From a technical perspective, there is no longer any difference between the security of cloud and on-premise environments in terms of physical security.

5. How does your company make sure that the solutions you provide are cyber secure?

In addition to compliance with data security regulations by the user, we as a manufacturer of video surveillance systems also bear a high level of responsibility, and our products and solutions offer our customers an extremely broad portfolio of proven technical functions for data security and data protection. The fact that all development and production is based in Regensburg, Germany, means that we also have full control over all stages of the value chain and can ensure the highest level of cybersecurity in all aspects. The development and manufacturing within the framework of the rule of law also guarantees neutrality towards state interference and maximum ethical responsibility. Our products are compliant with EU-GDPR, NDAA and all planned directives related to data protection and cybersecurity, such as EU NIS-2, EU RCE, EU CRA, in preparation with the EU AI Artificial Intelligence Act and DIN 62676-4. Our internal Information Security Management System (ISMS) and internal IT security processes are ISO 27001 compliant and certified.

The Certified Information Systems Security Professional (CISSP) is the industry's gold-standard credential for advanced cybersecurity leadership, management, and architecture. Earning it proves you possess the deep technical and managerial competence needed to design, engineer, and manage an organization's overall security posture.

Key Requirements

·        Work Experience: You need at least five years of cumulative, paid work experience.

·        Domain Coverage: Your experience must span at least two of the eight domains in the CISSP Common Body of Knowledge (CBK).

·        Education Waiver: A relevant four-year college degree or an approved additional credential (like Security+ or CISM) satisfies one year of the required experience.

The Eight CISSP Domains

1.   Security and Risk Management: Compliance, legal regulations, professional ethics, and risk management concepts.

2.   Asset Security: Data classification, privacy protection, and asset retention/lifecycle management.

3.   Security Architecture and Engineering: Secure design principles, cryptography, and vulnerability mitigation.

4.   Communication and Network Security: Securing network channels, IP networking, and transmission media.

5.   Identity and Access Management (IAM): Controlling physical and logical access, identity provisioning, and authentication mechanisms.

6.   Security Assessment and Testing: Designing and conducting vulnerability assessments and penetration testing.

7.   Security Operations: Incident response, disaster recovery, forensics, and resource protection.

8.   Software Development Security: Application security controls, ecosystem vulnerabilities, and secure coding practices.

Exam Details

·        Format: Computer Adaptive Testing (CAT).

·        Length: 3 hours long, containing 100 to 150 questions.

·        Passing Score: 700 out of 1000 points


Saturday, October 1, 2022

Electronic Surveillance Threats

Electronic Surveillance Threats 

In 2017 the Supreme Court ruled in a landmark judgment that privacy is a fundamental right. From sophisticated spyware attacks to mass phishing via smartphones and the rise of facial recognition technology, the range and reach of surveillance threats to human rights defenders is growing.

For security teams trying to keep activists safe, it is a cat-and-mouse game as attackers rapidly adapt to developments aimed at protection.

“When cyber-attackers see people are switching to using (messaging app) Signal, for example, then they will try to target Signal. If people start changing to VPN technology, they will start blocking VPN technology. If people are using Tor browser, they will target Tor traffic,” says Ramy Raoof, tactical technologist with Amnesty Tech.

Automated surveillance equipment has become increasingly common and connected, making the technique more covert and pervasive.  Mobile hacking, social engineering, network monitoring, face recognition technologies, GPS tracking, and various other methods commonly employed to catch and prevent crime and terrorism can also be used against civilians.

Electronic surveillance threats – defending a facility against electronic surveillance is a serious challenge and one that hasn’t been made any easier by the proliferation of computer networks and wireless. Not only are businesses under threat from phone tapping, and video and audio surveillance, wired and wireless computer networks offer attackers a new dimension of intrusion.

Even the simplest electronic surveillance devices are diverse, with room transmitters being among the most common. Their role is to detect all the environmental noise emanating from the location in which they’re planted.

Primary variations with room transmitters relate to differences in power sources. In this case, either battery or mains power and it’s the battery powered devices that are most diverse. Such devices can be secreted inside almost any object allowing for their minimal space requirements. Examples include the inside of pens, calculators, clocks, photo frames, under carpet, behind curtains and underneath or inside furniture.

The types of battery used to power these devices varies too, depending on the design, size and planned use of the device. Self-contained transmitters designed for surreptitious surveillance favour small button batteries or higher performance hearing aid batteries. When size is less of a concern and length of transmission a higher priority, larger and longer lasting batteries can be used, including the latest lithium types.

Average transmission devices typically have dimensions around 19mm x 12mm x 9mm. Should a small transmitter be built into a pen or a calculator, transmission range will be limited, around 15-20m, though the use of lithium batteries will increase the range.

Mains-powered room transmitters draw current either directly from the mains voltage or trickle charge a battery that’s also used to power the device. The advantages of this technique where electronic intruders are concerned include the fact there will be less impact on main power sources that could be monitored for fluctuations. Should mains power be lost the device will continue to operate.

The key technical issue for mains powered transmitters is to reduce 240V of alternating current to a direct current, low voltage output of 6-18V. Designers are required to combine transmission circuitry along with a voltage dropper, rectification, smoothing and voltage stabilization circuits.

As a rule, the most popular way to get the small current and voltage requirements is to use a high voltage capacitor to act as resistance at the 50/60Hz mains supply frequency. Low power can be partially offset by injecting some radio power into the mains.

Should there be enough room and a sufficiently low risk of detection, it’s sometimes possible for a stepdown transformer to be used – this is inherently more reliable that capacitor leakage or dropper resistance techniques. It’s also possible for a transformer to supply a far greater level of power to a strong transmitter.

AC units can be located inside walls, ceilings, under floors, inside office equipment, in mains-powered clocks and within lamps and lamp holders to name just a few possibilities. One of the favoured methods of installing an AC bug is to simply plug in a dummy double adaptor to a power point in the room you wish monitor. Despite the simplicity of this technique, only the most observant would notice and even then, would be most unlikely to consider the appearance of the unit a threat to security.

Electronic intruders wishing to secure a standalone mains-powered transmitter are usually supplied with a square plastic box about 50mm x 50mm x 18mm, or an encapsulating board. There will be a pair of trailing leads coming from these units for connection to the live and neutral lines of domestic AC.

There are still PSTN telephone transmitters. These are connected to target telephone systems and transmit information to a receiving station located nearby. The 2 basic models are the series-connected transmitter and the parallel-connected transmitter. Both types either draw their operating voltage from the PSTN phone line itself, or carry their own batteries that may be trickle-charged from the phone line.

Series connected transmitters are connected between a telephone socket and a telephone. In this configuration, only that extension will be accessed by the listener. But in the event a series transmitter is used and located on the incoming wires of a 2-pair cable on the other side of a telephone socket, all extensions of the line can be accessed.

Muliplex telephone systems make life extremely hard for electronic intruders trying to record communications. Because these systems multiplex more than one signal onto a 2-pair cable, an intruder would need to employ a de-multiplexer to access phones.

Partially connected transmitters are different. Both incoming feed wires are connected to the parallel connected device, and this means the information will be transmitted if either phone is used. With a series device, the wiring of the telephone must be disconnected to allow insertion of the transmitter. But installation doesn’t mean cutting and stripping of feed wires. Instead, the device can be installed in a junction box that offers sufficient room, or even in a telephone.

Series devices are easiest for security managers to detect using one of the counter surveillance devices on the market that alert security staff to temporary disconnection of phone lines. It’s possible for alarm panels monitoring alarm systems to also monitor phone lines for integrity, with any breaches then reported.

Parallel series devices, however, can be installed without temporary line breaks and without effect on resistance. This makes them harder to detect, though if the unit is drawing power from its host, this will cause a voltage drop. Parallel devices are often equipped with alligator clips requiring no more than a few millimetres of cable to be stripped or a pair of bare terminals.

Battery-powered types are harder to detect and more effective in their operation. With their greater operating current, they can achieve greater operating ranges than bugs, giving 500-1000m ranges instead of 25-50m. Even harder to detect are small rain-proof telephone transmitters that can be connected to any point of the exterior wiring as it leaves a building or joins a telephone pole. Such a device might never be detected.

Mobile phones are usually tapped using spyware. This is a whole other science – it’s possible for experts to search for spyware and users might notice quirks like rapid battery drain, though it can be difficult to know whether this is caused by an illicit piece of software, too many open apps, or simply an aging battery.

There are 2 primary groups of microphones available to an individual or organization seeking illicit access to communications. These are omnidirectional and unidirectional. Unidirectional microphones are portable and can be aimed at a target. They’re a parabolic dish-mount device that can be hand-held or tripod mounted. Such units offer excellent results for the electronic intruder. Using a 45cm reflector, high quality sound can be obtained at 250m. This performance increases fourfold if the reflector size is doubled but the unit becomes much more visible.

Omnidirectional units pick up audio signals coming from any point of the compass and in surveillance devices they usually have a diameter of about 6mm. As a rule, these devices will be more effective towards the front. Another type of microphone, the spike mike, is mounted on the end of a spike or probe. Microphones can be connected to the audio input of a miniature transmitter, allowing remote monitoring of conversations.

Like any other internet-connected device, surveillance systems can be vulnerable to attacks without the right cyber-security measures in place. Hackers can easily gain access to poorly configured devices with design flaws or faulty firmware and manipulate or steal data. With cyber-attacks accelerating, surveillance systems need to be protected from vulnerabilities, and require the same vigilance provided to IT systems.

Closed-circuit video cameras to transmit a signal to a specific place, on a limited set of monitors. It differs from broadcast television in that the signal is not openly transmitted, though it may employ point-to-point (P2P), point-to-multipoint (P2MP), or mesh wired or wireless links but transmit a signal to a specific place only. Not for open to all.

Cities in at least 56 countries worldwide have deployed surveillance technologies powered by automatic data mining, facial recognition, and other forms of artificial intelligence.

The ban that prohibits the purchase and installation of video surveillance equipment from HikVision, Dahua and Hytera Communications in federal installations – passed on year 2018 National Defense Authorization Act (NDAA). In conjunction with the ban’s implementation, the government has also published a Federal Acquisition Regulation (FAR) that outlines interim rules for how it will be applied moving forward. Like NFPA, now NDAA law accept globally.

Rules outlined in this FAR include:

·        A “solicitation provision” that requires government contractors to declare whether a bid includes covered equipment under the act;

·        Defines covered equipment to include commercial items, including commercially available off-the-shelf (COTS) items, which the rule says, “may have a significant economic impact on a substantial number of small entities;”

·        Requires government procurement officers to modify indefinite delivery contracts to include the FAR clause for future orders;

·        Extends the ban to contracts at or below both the Micro-Purchase Threshold ($10,000) and Simplified Acquisition Threshold ($250,000), which typically gives agencies the ability to make purchases without federal acquisition rules applying.

·        Prohibits the purchase and installation of equipment from Chinese telecom giants Huawei and ZTE Corporation. This would also presumably extend to Huawei subsidiary Hisilicon, whose chips are found in many network cameras;

·        And, gives executive agency heads the ability grant a one-time waiver on a case-by-case basis for up to a two-year period.

Specifically, NDAA Section 889 creates a general prohibition on telecommunications or video surveillance equipment or services produced or provided by the following companies (and associated subsidiaries or affiliates):

·        Huawei Technologies Company; or

·        ZTE Corporation

It also prohibits equipment or services used specifically for national security purposes, such as public safety or security of government facilities, provided by the following companies (and associated subsidiaries or affiliates):

·        Hytera Communications Corporation;

·        Hangzhou HikVision Digital Technology Company; or

·        Dahua Technology Company

While the prohibitions are initially limited to the five named companies, Section 889 authorizes the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the FBI, to extend these restrictions to additional companies based on their relationships to the Chinese Government. The prohibitions will take effect for executive-branch agencies on August 13, 2019, one year after the date of the enactment of the 2019 NDAA, and will extend to beneficiaries of any grants, loans, or subsidies from such agencies after an additional year.

The provisions of Section 889 are quite broad, and key concepts are left undefined, such as how the Secretary of Defense is to determine what constitutes an entity that is “owned or controlled by, or otherwise connected to” a covered foreign country, or how the head of an agency should determine whether a component is “substantial,” “essential,” or “critical” to the system of which it is part. The statute also fails to address the application of the prohibitions to equipment produced by U.S. manufacturers that incorporate elements supplied by the covered entities as original equipment manufacturers (“OEMs”) or other kinds of supplier relationships.

Section 889 contains two exceptions under which its prohibitions do not apply:

(1) It allows Executive agencies to procure services that connect to the facilities of a third party, “such as backhaul, roaming, or interconnection arrangements.” This likely means telecommunications providers are permitted to maintain common network arrangements with the covered entities.

(2) It permits covered telecommunications equipment that is unable to “route or redirect user data traffic or permit visibility into any user data or packets” it might handle, meaning a contractor may still be able to provide services to the Government so long as any covered equipment provided is unable to interact or access the data it handles.

The Constitution of India guarantees every citizen the right to life and personal liberty under Article 21. The Supreme Court, in Justice K.S. Puttaswamy v. Union of India (2017), ruled that privacy is a fundamental right. But this right is not unbridled or absolute. The Central government, under Section 69 of the Information Technology (IT) Act, 2000, has the power to impose reasonable restrictions on this right and intercept, decrypt or monitor Internet traffic or electronic data whenever there is a threat to national security, national integrity, security of the state, and friendly relations with other countries, or in the interest of public order and decency, or to prevent incitement to commission of an offence.

Only in such exceptional circumstances, however, can an individual’s right to privacy be superseded to protect national interest. The Central government passed the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, that allow the Secretary in the Home Ministry/Home Departments to authorise agencies to intercept, decrypt or monitor Internet traffic or electronic data. In emergency situations, such approval can be given by a person not below the Joint Secretary in the Indian government. In today’s times, when fake news and illegal activities such as cyber terrorism on the dark web are on the rise, the importance of reserving such powers to conduct surveillance cannot be undermined.

Risk of Electronic Security Threats to EHR/HIS is a critical issue because as per the privacy and security rule of The Health Insurance Portability and Accountability Act (HIPAA) the patient’s medical records are to be secured and private which can be accessible only the hospital authorities and the doctors in charge of the patient and the patient himself.

More advanced techniques now no longer require a target to actively click on a link in order to infect a device, explains Amnesty Tech security researcher Etienne Maynier. An attack using NSO spyware on an activist in Morocco covertly intercepted the activist’s web browsing to infect their phone with spyware. “Instead of waiting for you to click on a link, they instead hijack your web browser’s traffic and redirect you to a malicious website which tries to secretly install spyware,” says Maynier.

Successful targeting of well-protected phones is becoming more common and security teams are under added pressure from a burgeoning industry in so-called ‘zero-day’ exploits, in which unscrupulous hackers seek to find unknown vulnerabilities in software to sell. In May 2019, NSO Group exploited a zero-day vulnerability in WhatsApp that was used to target more than 100 human rights activists across the world with spyware.

How to keep your communications safe:

Using public Wi-Fi and VPNs: When you connect to Wi-Fi in a cafe or airport your internet activities are routed through that network. If attackers are on the network, they could capture your personal data. By using a VPN app on your devices, you protect your online activities when accessing public connections, preventing your internet activities from being seen by others on the same network. If you want to explore options, try NordVPN and TunnelBear.

Password management: Using a password manager means you don’t have to worry about forgetting passwords and can avoid using the same ones. It’s a tool that creates and safely stores strong passwords for you, so you can use many different passwords on different sites and services. There are various password managers such as KeePassXC , 1Password or Lastpass. Remember to back up your password manager database. Do not use password like password, ddmmyyyy, admin@123, administrator, administrator1, Super@1234 etc.

Messaging apps: When we advise human rights defenders about messaging apps, we assess each app on its policies (such as terms of service, privacy agreement), its technology (if it’s open source, available for review, has been audited, security) and finally the situation (if the app provides the features and functionality that fits the need and threat model). Generally speaking, Signal and Wire are two apps with strong privacy features.  Remember: Signal requires a SIM card to register, and for Wire you can sign up with a username/email.

Phone basics for iPhone or Android: Only download apps from the official app store to prevent your personal information from being accessed without your consent and to minimise the risk of attacks. Update your system and apps frequently to ensure they have the latest security patches. Enable ‘account recovery’ in case you lose access to your phone. Finally, choose a mobile screen lock that is not easily guessed, such as an 8-digit pin or an alphanumeric code.