Cyber security: Imperatives for India

Cyber security must be considered as a key enabler for Indias economic growth and the government and industry efforts and initiatives should reflect this realization
By Rahul Jain, DSCI , August 07, 2012

The phenomenal success of Indian outsourcing industry has positioned India as the global hub of IT and BPO services. In FY 2011, the industry aggregated revenues of USD 88.1 billion and is expected to grow revenues to USD 225 billion by 2020 out of which more than 75 percent revenue will be on account of export of software and services. The industry has provided job opportunities to over 10 million people through direct and indirect employment, and accounts for 6.4 percent of Indias GDP. The journey however has not been easy. Since the initial years, there have been serious concerns on the security of data in outsourced assignments. To overcome these concerns, the industry took proactive steps such as adopting best practices and global standards in security, investments in latest security technologies, allocation of skilled resources, spreading awareness among employees, focusing on IT governance, establishing internal auditing functions, etc. All these efforts have helped in providing assurance to clients, regulators and end customers abroad that India is a secure destination for outsourcing, and in the process have made the industry very mature in information security. This has been validated by regular client audits and assessments. However, the threat landscape is dynamic and requires the organizations to keep upgrading their security programs. Security is not a one-time activity but an ongoing journey. Therefore, to achieve the projection of USD 225 billion by 2020, data protection will continue to be one of the key enablers. Today, the importance of data security for India is not limited to the growth of outsourcing industry. As a subject, it has far greater implications. Our dependence on technology as a nation is increasing - epayments in India currently account for 35.3 percent of the total transactions in terms of volume and 88.3 percent in terms of value, card circulation - both credit and debit - was around 200 million in 2010. B2C ecommerce is expected to touch USD 10 billion this year a growth of 47 percent from 2010, whereas domestic IT market including telecommunications services and equipment is expected to touch USD110 billion by 2012. Also, India is expected to be the third largest Internet user base by 2013 in the world. Considering the power of the web, the Government is investing USD 10 billion in various e-Governance projects the Government policies are relying on technology to solve governance, corruption, service delivery and financial inclusion issues. In addition, businesses are leveraging technology to transform their business models and Defense and Police agencies are making strategic use of technology to modernize. In such a scenario, it is essential for us as a country to comprehensively understand the threats associated with the use of technology and operating in cyberspace- which is emerging as a fifth domain after land, sea, air and space that has no geographical boundaries and cuts across jurisdictions. These threats range from petty cyber crimes impacting an individual to sophisticated cyber attacks impacting national security by affecting economy, public safety or citizens lives. The number of cyber attacks and crimes are rising globally and India is no exception. There have been cyber attacks on PMO, CBI website,

T3 terminal, etc. Stuxnet, the deadliest attack vector that has been designed so far, that destroyed a nuclear reactor in Iran has reportedly infected systems in India. There is an increase in the number of cyber crimes registered under the Information Technology Act 2000. In the cyberspace, we must defend ourselves against international syndicates, terrorists, rogue nation states, competitors and disgruntled insiders, who operate from anywhere in the world and exploit vulnerabilities in IT systems to achieve their motives, without getting traced. What makes their job easier is the availability of information about such vulnerabilities on the Internet There are numerous challenges in cyber security. From a national security perspective, security of critical information infrastructure (CII) is a top priority of the government. National Security has traditionally (for air, land and sea) been the sole responsibility of the governments. But as the world has moved into the information age, with increased dependence on information infrastructure for production and delivery of products and services, the new responsibility of securing the CII against the rising number of cyber attacks has come within the ambit of national security. This new responsibility, however, does not lie solely with the Government; private sector has a major role to play since more than 80 percent of the CII is owned and operated by the private sector. However, private sectors investment in security is driven by business requirements and not by national security concerns. So how can government intervene? By regulating the private sector? Though regulations are necessary they should not add cost without necessarily improving security of CII. Too much government intervention through regulations can also undermine business innovation. So, should the government fund implementation of security practices / technologies in critical sectors? Such questions are debatable, however two things are very obvious there needs to be a strong and effective public-private partnership in cyber security as envisaged in the draft cyber security policy released by Department of Electronics & Information Technology and secondly, the government needs to incentivize the private sector to make investments in security. While the industry must take security seriously, and organizations, especially those which operate in critical sectors and IT sector, should consider security as a board-level agenda. India is a preferred supplier of IT services including software for major financial institutions, governments, etc. around the world, and as an industry, it is our responsibility to keep developing secure products and services. Security leaders within the organizations should be given more authority and support from the Board and the CEO. The second challenge is of coordination and cooperation at both - the national and international level. At the national level, there is currently lack of a comprehensive framework to ensure coordinated response and recovery, intelligence and information sharing mechanism, clarity in the role of different government agencies, involvement of state governments, and specified role of government and industry in PPP models. At the international level, there is absence of cooperation across jurisdictions to track cyber criminals and norms to address cyber security requirements, making it difficult for the Law Enforcement Agencies (LEAs) to bring cyber criminals to justice. Third and one of the most important challenges in cyber security is poor awareness and education about cyber security threats and the need to follow best practices, across different levels ranging from school children to top government officials / top management. Adding to the problem is the non-serious/reactive approach towards security. Because of poor awareness, we become vulnerable and easy victims of social engineering attacks, phishing sites, spurious e-mail communications, etc. Many such cyber threats can be easily mitigated if we are aware and vigilant. Lastly, there is lack of adequate training and knowledge available to LEAs and judiciary in understanding cyber crimes and relevance of evidence in the form of cyber forensics. NASSCOM and DSCI have established Cyber Labs program to build capacity of LEAs by setting up training labs across major cities

in India to train police officers in cyber crime investigations and cyber forensics and provide a platform for the industry and LEA to collaborate. Over 20,000 police officers have been trained so far. Similar PPP models need to be evolved for overcoming other challenges in cyber security. In todays information age, Internet is the engine for global economic growth and the cyber security initiatives of any country should not impede it. Cyber security must be considered as a key enabler for Indias economic growth and the government and industry efforts/initiatives should reflect this realization. To establish itself as the knowledge hub of the world, the key imperative for India is to address the cyber security challenges by leveraging the strengths of public and private sectors through public-private partnerships, considering the issue of cyber security at the board level within organizations and taking leadership and partnering with other nations for addressing global concerns in cyber security. Rahul Jain is Senior Consultant Security Practices, Data Security Council of India a NASSCOM initiative. The views and opinions expressed in the article are those of the author