The Airbus A380 has reached its optimum height and the captain has turned off the seat belt sign. I am flying back to New York via Dubai after spending two weeks in India, first catching up with my family and friends in Northern India, followed by a visit to Bengaluru, the Silicon Valley of India. The city never ceases to amaze me. In the last two years, there have been a lot of changes, but the biggest one—demonetisation—had occurred just a couple of weeks before I landed in India.
People with polarised opinions argued it out with each other, debating the pros and cons of the move. Yet, what I found more perplexing was the near-sightedness of the debate and the utter lack of understanding of the real problem. People are only bothered about the lack of currency in the banks and ATM machines but completely silent over the cashless hurricane that awaits them. During my time in India, Twitter accounts of a few celebrities were hacked and the media portrayed it as if this was the worst cyber attack that could happen. My vast experience in cyber security tells me that it was certainly done by some local actor to create media buzz or political turbulence.
Although important, these are not the kind of attacks we need to be worried about. The people in India are yet to experience the worst of the cyber attacks. Consider a situation when people start losing their hard-earned money to lone wolf hackers targeting individual consumers, because they lack even basic knowledge to protect their online accounts, e-wallets, or debit cards from unsophisticated social engineering or phishing attacks. At the same time, imagine the chaos that would result from the breaches at major banks by the organised cyber crime groups.
These criminal gangs would exfiltrate customer data and possibly even transfer the real money from their high net worth customer accounts to the accounts outside the country. These groups could even bring the banks down to their knees thus collapsing financial infrastructure if immediate actions are not taken by the government, banking sector as a whole, and each individual bank. This is the reality that the West has already experienced and what now awaits India.
These are just two kinds of the threats which India is vulnerable to. In addition, it is also equally susceptible to other kinds of major cyber threats faced by other countries. First, the cyber espionage that involves unauthorised intrusions into government and corporate networks to steal sensitive information of strategic or commercial value from organisations like ISRO or DRDO. Second, the cyber attacks by the state and non-state actors aimed towards causing temporary disruptions of networks and services like Sensex or telecommunication systems. Third, cyber war, which is a systematic, large-scale assault carried out on critical infrastructures to render them dysfunctional, have a debilitating impact on dependent services like power systems in one or multiple metro cities. Or a large-scale attack on banking systems and ATMs, bringing them to a grinding halt, and leading to widespread panic and chaos. But, unlike other countries, the strategy for effective containment of cyber threats by India does not measure up to the challenges it faces. The National Cyber Security Policy 2013 falls short of what is required to develop an effective cyber security capabilities. In simple terms, the policy is “disjointed”.
Why is the Cyber Security Policy disjointed?
The disjointedness of the National Cyber Security Policy 2013 is palpable from the stark contrast between the vision, objectives, and the strategy to achieve them. The policy does not lay out concrete measures that need to be undertaken to achieve the stated objectives. The first and foremost objective is to protect information infrastructure in cyberspace through reduction of vulnerabilities. Yet, the strategy does not lay out any concrete plan for CERT-In for real-time identification and patching up of vulnerabilities. The CERT-In maintains a database of the vulnerabilities, which in no means is real-time. The database is lagging by at least a week which makes it obsolete and archaic by global standards.
The policy calls for protection of 'National Critical Information Infrastructure' by creating a national and sectoral 24x7 mechanism through National Critical Information Infrastructure Protection Centre (NCIIPC). Three years have passed since the adoption of the policy and the NCIIPC is still in its infancy working under the aegis of National Technical Research Organisation (NTRO). The policy even fails to identify what sectors will come under critical infrastructure. While in the United States, the law has clearly identified 16 sectors under critical infrastructure, whereas in India none of the infrastructure has been identified as critical. The debit card breach that occurred in the month of October and affected 3.2 million consumers is a glaring example of the costs cyber crime can impose on financial institutions and the individual consumers. It should be a wakeup call for the government to designate important sectors like finance and banking, energy, telecommunication, defence and space as critical infrastructure. The cyber security policy calls for early threat warning and vulnerability management. However, it fails to talk about a centralised threat intelligence platform that would enable sharing of cyber threat information in real time among different organisations, thus empowering them through real-time cyber situational awareness. The policy talks about inculcating cyber awareness and building cyber security manpower of around 5,00,000 through education and training, yet neither a concrete plan has been outlined on how to build it, nor any action has been taken to build the cyber warriors pipeline. The policy also does not talk about promoting indigenous solutions to the cyber threats that India faces.
The way forward
The cyber threat that India faces is not merely potential in nature but real with high risk. To catch up with the threat, India needs to undertake some essential steps:
- India should develop a centralised threat intelligence platform through public-private partnership because of the efficiency and expertise that private sector brings with itself. The platform can be clustered based on group of organisations in a particular sector facing similar threats. For example, in banking sector, government and banking sector could partner with existing global information sharing networks like Financial Services Information Sharing and Analysis Center (FS-ISAC) for sharing threat and vulnerability information with peer banks, conduct contingency planning exercise and enhance collaboration among other banks. In fact, earlier this month, FS-ISAC and Monetary Authority of Singapore (MAS) announced that they will collaborate to establish an Asia Pacific (APAC) Regional Intelligence and Analysis Centre to encourage regional sharing and analysis of cyber security information within the financial services sector. The establishment of the centre will strengthen the APAC cyber security ecosystem by providing deeper capabilities in cyber intelligence gathering and analysis for enhanced in-region intelligence support. India, as one of the major economies in the region, should be leading such partnerships and welcoming organisations like FS-ISAC to set up their centres in the country. Other sectors like telecom, power, and transportation need to have their own counterpart of FS-ISAC mechanism and the newly created National Cyber Security Co-ordination Centre should merge these sectoral platforms to create a cross-sector centralised intelligence sharing platform for collecting and analysing threat intelligence and mitigating risks through real-time information sharing.
- Additionally, the government needs to overhaul this space by introducing a cyber framework that matches global standards. I am not a fan of enhanced regulations because they have their own set of drawbacks. They reduce the scope for innovation and force compliance. But to have a sustainable system, there needs to be some baseline for banks and other critical infrastructure sectors to implement foundational cyber controls. We need to have a starting point and given the lack of interest in cyber security among organisations in India thus far, the government needs to take the first step. A similar approach was followed in the United States when banking regulators proposed FFIEC guidelines to introduce risk management framework for financial institutions. Similarly, the Payment Card Industry (PCI) data security standard was introduced and mandated by credit card companies for organisations that handle branded credit cards from the major card schemes like Visa and MasterCard etc. Several cyber bills have been introduced in the US Senate and House in the past decade. Last year, US Congress passed a cyber security information sharing bill, known as Cybersecurity Act of 2015, which required certain government agencies to share cyber security threat information with private entities and develop a strategy to ensure that a cyber incident affecting critical infrastructure entities will not result in catastrophic regional or national effects on public health or safety, economic security, or national security. The law also provided liability protections to entities that voluntarily share and receive cyber threat indicators. India also needs to introduce similar bills to encourage entities to detect, prevent, or mitigate security vulnerabilities, and share cyber threat information with other entities.
- Finally, programmes like Digital India and the goal of cashless economy cannot be successfully achieved unless the common man is aware of cyber issues. In India, 82 percent of the population is vulnerable to physical disasters but 100 percent to cyber disaster, because people lack basic cyber awareness. A systematic campaign needs to be undertaken for inculcating cyber awareness among the Indian public especially the rural people. Similar to Swachh Bharat, Prime Minister Narendra Modi should announce Surakshit Bharat campaign to achieve 'Cyber Suraksha' for all Indians. We need to understand that we cannot have a foolproof cyber security architecture in place until we secure both digital and human ends. Securing human ends requires a cultural shift for which people also need to come forward and make efforts to learn. Even a small step of cyber awareness taken by 1.3 billion people can culminate in a giant leap for cyber security in India. The stakes are high and time is running out. We need to act fast and act now.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)