With the progress of the Digital India and Smart City programmes, as governance and businesses make the shift online, it is high time to consider security solutions that will preempt hacking and protect the nation’s cyber assets from potentially crippling attacks.
By Mohd Ujaley
Recently the website of the Indian Space Agency’s commercial arm, Antrix Corporation, was hacked. The hackers succeeded in defacing the home page with an article about 300 kids from Cape Town getting American Major League jerseys at cheap prices from China. This incident shows that how vulnerable India is to cyber security attack. The nation has to develop better network filters and early warning devices. We must add new firewalls around the computer systems that are used by the government organisations.
Embedding security at planning stage
The websites are the public face of government undertakings, and if the hackers succeed in defacing these websites, it can lead to erosion of public trust in these undertakings. In the Digital India programme, the government seeks to connect all parts of the country with a digital highway. But what stops the hackers from using the same digital highway to steal vital information! Security experts are of the view that malicious cyber attacks are possible on power grids, telecommunication, air traffic control, banking system and all the computer-dependant enterprises.
“The information and the infrastructure needs to be secure. That is why security must be firmly embedded at the planning stage itself of ‘Digital India’ rather than as an afterthought or for that matter, as a reactive step,” says Deepak Maheshwari, Head–Government Affairs, India Region, Symantec.
In the last five years, there have been a number of the incidents in which the online systems owned by government departments and public sector undertakings were targeted. With the progress of Digital India programme and the Smart City initiatives, there will be very high level of digitisation. Unless sufficient security measures are taken by the government, there can be a rapid escalation in the problem of security breaches.
Altaf Halde, Managing Director, South Asia, Kaspersky Lab, is of the view that Digital India will involve different technologies communicating with each other in different ways, hence the prediction and elimination of all possible security issues can happen only when the government considers security to be an integral part of the digital journey. “Security considerations have to be taken care of right from planning stage to the actual implementation of technologies,” he says.
In today’s world cyber security has become integral with national security. Government engages with the citizens through the websites, mobile devices and even in the social media. As the Digital India programme progresses, the level of online interaction between the government and citizens will go up further.
Sidharth Malik, Vice President and Managing Director, Akamai Technologies, says that the aim should be to attain maximum digital penetration with minimum cyber risks. The cyber risks can only be minimised when innovative and credible solutions are developed and deployed from the beginning. In any project, security must not be an afterthought. The best results can be achieved only when the security systems are holistic part of the overall infrastructure.
Emphasising on the need to embed security at every stage of Digital India and Smart City initiatives, Chris Lin, APJ Sales Leader of Veritas says, “With technology as its pivot, the Digital India initiative call for a collaborative effort that draws on global innovation, experience, IT talents and expertise. In order to realise its true potential, such an effort requires an entire ecosystem of support and an apparatus for implementation that has to be developed and matured since very first day to over a period of time.”
“Whatever government does under the umbrella of Digital India, it must set the minimum acceptable standard of security for data in the beginning of the project itself. It will not only help the stakeholders involved in the project to understand the various risks involved but also help in effectively marching the project,” says Ranndeep Chonker, Director, Global Solutions Provider, Fire Eye.
Echoing the concern raised by Chonker, Surendra Singh, Country Director, Raytheon | Websense asserts that there is the need for setting up robust data security practices. The government has to secure citizen data related to land records, PAN and Aadhar numbers, etc. The leakage of such data can cause considerable hardships and losses to the citizens. Therefore it is important for the government to set the security standard; it is also important for the vendors who are dealing in these projects to adhere to the best security practices.
Fixing vendors responsibility
It is true that all good initiatives are as good as the governance model established around ensuring that the services are used in the right way and also that the risks are adequately understood, monitored, and managed. In Smart City and Digital India, government will be working with different vendors for implementation of different aspects of the projects. Much of the success is likely to depend on how effectively government can channelise the capacity and potential of the private vendors.
Anil Bhat, Associate Vice President, Platform Development, MetricStream, points out, “Government has to work with a diverse set of vendors to bring Digital India initiative to fruition. The success, depends on how effectively the government is able to manage the risks around evaluating, monitoring and controlling vendors.”
Sunil Khanna, President and Managing Director, Emerson Network Power, India, explains “In order to ensure that Digital India is a success, the government will require infrastructure, mobile operators, system integrators, and solution providers. The telecom sector and the government will require data centers and Data Center Infrastructure Management (DCIM) solutions on a larger scale than ever. Therefore, a greater synergy between government agencies and private companies is needed at every stage of this ambitious project.”
Some experts have different opinion on the system that needs to be adopted for effective management of vendors for government projects—they are of the view that no network is 100% secure and possibility of breaches are always there in any system, hence more than fixing of the onus, it is important that stakeholders work together for mitigating the security challenges.
“No matter how much money is spent on security, no network is 100% secure from breaches. There should be an incident response plan to ensure that there are processes, procedures and skilled resources to quickly identify and mitigate threats as soon as they hit a network. Leaders from across the country who have a stake in this issue — industry, technology companies, law enforcement agencies, consumer and privacy advocates, law professors who specialise in this field, and students — must collaborate and explore partnerships to develop the best ways of bolstering cyber security,” says Rajesh Maurya, Country Manager, India & SAARC, Fortinet.
Creating healthy regulatory environment
From a regulatory point of view, the government needs to look at cyber security holistically. A well articulated and robust cyber security policy is needed to prevent security breaches and ensure responsibility. The country has Cyber Security Act of 2013, but this has not been fully implemented. One of the core strategies outlined in the Act is to appoint a CISO (Chief Information Security Officer) who shall be responsible for cyber security efforts and initiatives, for public and private organisations. But this policy is yet to be fully implemented.
“One of the first steps towards improving security is to ensure that a regulatory framework is created around Cyber Security Act of 2013 and a good governance structure established,” says Bhat of MetricStream.
“The fact is that we have ignored security issues for too long. Last year more than 150 .GOV and .NIC domains were hacked. We have poor regulations in privacy protection, data protection, cyber law, e-governance, e-commerce etc. All initiatives pertaining to delivering public services in an efficient manner through electronic governance will see lack of momentum and growth unless we tackle security issues and work towards citizen data protection,” says Singh of Raytheon | Websense.
Ambarish Deshpande, Managing Director – India, Blue Coat Systems, has different points of view on regulatory frameworks. He says that India is in no way lagging behind in regulation but the problem lie in their implementation. Country does have a strong IT Act, but more than an Act, we need an aware and professionally trained security workforce.
Agreeing with Deshpande, Altaf Halde of Kaspersky Lab points out “India has already started moving in the right direction when it comes to regulations and privacy protections. We have seen and observed a lot of action from governments across countries. They are doing their best, to get the infrastructure needed to counter cyber-attacks.”
He also explains that as a part of Digital India, government has planned to launch ‘Botnet cleaning centers’. Botnet is a network of malicious software that can remotely gain control of devices, steal information and carry out cyber attacks like Distributed Denial of Service (DDoS) that prevent access of websites. The facility will be under supervision of the national cyber security watchdog – Indian Computer Emergency Response Team (CERTIn).
Chandra Sekhar Pulamarasetti, Co-Founder & CEO, Sanovi Technologies, points out that the area of IT disaster recovery might be of greater importance. He says, “One area that lacks strong regulatory mechanism is IT disaster recovery preparedness when outages occur. There has to be strong regulation in this area to ensure that all agencies and vendors, which are operating the Digital India infrastructure, must deploy effective and automated business continuity and IT Disaster recovery management solutions, ensure they are tested regularly and complied with. Government can take the cue from Reserve Bank of India which has addressed this concern by bringing in comprehensive regulations in this area for all banking institutions in the country.”
Awareness is the silver bullet
Awareness is the key when it comes to fighting cyber crime, but we do not see private companies taking initiatives to conduct awareness campaign for cyber security. They would rather leave the task to the government agencies. The truth is that cyber security is a major challenge for enterprises as well as government departments.
“Private companies cater to cyber security to the level of compliance. We are yet to see large investments for improving cyber security in India. Having said that, the recent incidents of cyber espionage have made the corporate world realise the importance of cyber security. Private companies are now working for creating awareness of best practices in cyber security and on the adoption of advanced data privacy technologies for protection against zero day attacks,” says Surendra Singh of Raytheon I Websense. Maheshwari of Symantec adds, “Private sector has also been driving awareness campaigns, but these campaigns are having limited reach and impact.”
While the government has numerous initiatives for information security awareness and education, it cannot manage the task of securing the entire Digital India infrastructure. The programme is too vast for its security to be centrally managed by the government. Public-private partnerships are crucial. As most of the security solutions are developed, manufactured and deployed by the private sector, the country must create an enabling atmosphere for the private security companies to collaborate with the government organisations for implementation of security solutions in Digital India projects
“Awareness of cyber security threats in India is low but it’s improving in part due to quality research. Greater awareness drives more organisations to adopt technologies which help them respond to advanced attacks. We need to increase our supply of cyber security talent and share critical threat intelligence that provides the information needed to gain the upper hand against cyber threat groups,” says Chonker of Fire Eye.
“You can have the best of technologies in place, but if the awareness is not there, the usage of technology is not properly handled, it is going to be a challenge. Currently, generic awareness is there but critical awareness related to do’s and don’ts in the age of Digital India is needed,” adds Deshpande of Blue Coat Systems.
“More and more enterprises are hiring CISOs who are trained to build the necessary infrastructure as well as train employees on cyber security. This is a continuous learning and enterprises are getting better over time. However, to speed up the process, leveraging CIO/CTO/CISO gatherings for sharing best practices and steps that should be adopted to mitigate the attacks need to be held on a regular basis,” says Sidharth Malik of Akamai Technologies
With its archaic governmental system, India has not been able to spare funds and time for ensuring adequate cyber security—this needs to change. The Digital India and Smart City initiatives can’t succeed unless the cyber infrastructure is fully secured. It is time to realise that the cyber space is as much a national asset as the physical space. We can have improvement in the security of cyber space only when government agencies and the private sector join hands and work as a team.