What’s the current cyber security scenario like in India? Is the existing security architecture robust enough to tackle crisis like the latest ransomware threat?
The current cyber security scenario is India can at best be described as reactive. While most of the advanced nations included cyber security as a key socio-political agenda quite some time back, we have been lagging behind in even setting up a national cyber security architecture. USA for example, has a ‘Critical Infrastructure Identification, Prioritization, and Protection directive’ in place under parliamentary directive which maps mission critical services and installations that public and private sectors must work jointly to protect. India has just started to think in terms of setting up such a framework.
Having said, we are observing traction gaining in this direction with the government setting aside Rupees 1000 Crore fund to design the National Cyber Security architecture directly under the National Security Advisor. We have to see how this body defines tangible action points to safeguard ourselves against cyber-attacks of this nature.
Given the apparent ‘digital’ move by Modi government, how much of this translates to beefing up the digital infrastructure and security systems of the country?
As a nation, we are at the first stage of digitization which pertains to migration of our basic services towards digital platforms. Over the past few years, we have seen tremendous pace in this initiative.
Today almost all our services have become online. However, the situation today demands a parallel focus on securing digital information assets that it creates. Cyber security should be an integral part of all digital initiatives of the Government.
In my opinion, there is definitely a lag in this area and it will not be an understatement to say that we are sitting on a tinder box. Attacks of this kind should be a harbinger of change within the government’s mind set on cyber security.
Where do we stand globally on digital transformation and is our cyber security posture in sync with the changing times?
In terms of pure digital capabilities and digital transformation we have taken rapid strides in the past few years. We have deep mobile penetration as well as a high density of cyber usage, which defines the digital capabilities of a nation. Today our e-Services have actually reached the grassroots level and there is no denying the fact that the current Government’s digital push is making a lot of difference to people. This was unthinkable even five years back.
However, we are definitely behind many countries in terms of our cyber security posture. As mentioned earlier, the first tangible activity that we would like to see from the Government is a clear national cyber security infrastructure in place which is quite evolved in most other developed and developing countries.
Is cyber attack by its very nature of ingenuity results in a case to case reaction? Is this the way forward?
Yes, at some level, unfortunately. By the very nature of their sophistication, we end up dealing with them on ad-hoc basis. This is true not only for India, but also on a global level. America is continuously evolving their cyber defence posture after each seminal attack such as the Target and DDoS incidents.
However, this is definitely not how it should be. In my opinion, it is critical to develop analytical methods to identify vulnerability. Preparedness is the key and the focus should be on creating strong defensive methodologies to safeguard ourselves. Each of these incidents should be taken as opportunities to increase the body of knowledge that can be used to predict future attacks and thereby make our systems impregnable.
I strongly recommend the government to provide a platform for creating a knowledge repository of cyber incidences where companies or institutions can share their experiences which can be used to defend against future cyber events.
Do we have the right level of cohesion today among ministries of defence, home, external affairs and IT required to come up with a unified policy tank that can provide assessments of security situations in real-time?
There is a lot to be done on this front. Not only inter-ministerial coordination, but the scope should also include a collective initiative and responsibility sharing between government and the private sector. The appointment of the first Cyber Security Chief of the country and talks of setting up a National Cyber Co-ordination Centre as a command and control hub are directions towards achieving this. As of now there is limited coordination, but hopefully the National Security Council Secretariat will create a common platform very soon towards this direction.
Indian companies too have been hit in the recent global ransomware attack! What’s the need of the hour?
The need of the hour is to work on two fronts –the physical infrastructure and the human infrastructure. The former alludes to using the latest technology encompassing secured hardware and software. All systems and networks of vulnerable infrastructure such as police, banks and defence should be reviewed against technology obsolescence.
Apart from this, it is critical to develop skills of system and network administrators around cyber security, especially on behavioural analytics and incident response. They should be skilled on cyber defence so that they possess the core competence of identifying an attack, recommend a course of action and configure systems to help manage the attack. Just like our physical armed forces, India actually requires an army of cyber defenders.
What’s your message for tech users in general to steer clear of cyber-attacks?
Awareness is the key. In India, we have a very high density cyber usage, but an extremely low level of awareness on cyber security. Since a bulk of our computing is done on handheld devices, we should know the basic security features available on our devices. We must be also careful of connecting to public WiFi and follow basic internet safety etiquettes. From a PC user’s standpoint, one should be updated on their operating system and anti-virus software.
Most hacks are actually avoided if one’s PC runs a standard updated anti-virus. Also, users should identify SPAM mails and safeguard themselves from social engineering which prompts people to share their confidential details through innocuous looking emails and text messages.