Cyber security, a vital subject and a matter of national concern, usually finds a presence only in quotes, presentations and speeches. It becomes alarming only when our own security establishments and facilities become victims of cyber attacks. A recent example is the attack(s) on our Prime Minister's Office IT infrastructure, which exposes the current state of our
Requires Free Membership to View
national
cyber security. Clearly, the traditional methods of fighting a war with guns, ships and
aircraft have been replaced with computers, bots, viruses and Trojans. The systems designed to keep
our infrastructure secure, are now being used against our own defenses.One of the things to remember is that our vital infrastructure is becoming increasingly dependent on information technology and communication systems. While the continuous advancement in technology is helping India to gain a strategic edge, it's also making our critical infrastructure more vulnerable to cyber threats. Our national cyber security is weak, and unfortunately has not been given the kind of serious attention it deserves. Every recent terrorist act had technology involvement to some form or other, and proved the weaknesses of our defense mechanisms. Be it a traditional method of terrorism or the use of technology for cyberterrorism, India has failed to deal with it. In addition, an ineffective cyber law and a missing legal framework to deal with cyber terrorism make it easier for terrorists and cyber criminals to succeed in their malicious actions.
Cyber terrorism is a reality of our times, and can't be ignored. This has caused the international community to look at its cyber security initiatives very seriously and build intelligence capabilities in cyberspace. However, in the Indian context, the issue itself is missing from the priority list.
|
|||||||||||||||||
Commenting on the state of ournational
cyber security and its impact on India's growth, Bithal Bhardwaj, the advisor of OWASP India
says, "India is rapidly becoming an easy target for cyber attacks, and this situation poses great
threats—not just to our critical infrastructure, but also to our growing IT sector. The emerging
threat from cyber attacks has raised concerns among international businesses regarding their
outsourced IT operations and investment in India's growing software market." The response is
understandable, considering that India earns billions of dollars in software export revenues from
abroad.
The unease was also highlighted by a recent study authored by the Center for Strategic and
International Studies that was released during the World Economic Forum's 2010 annual meeting.
According to the study, "the risk of cyber attacks is rising, and there is growing concern among IT
executives (37%) that the vulnerability of their sector had increased over the past 12 months.
Two-fifths expect a major security incident in their sector within the next year. Only 20% think
their sector is safe from serious cyber attacks over the next five years."
An independent study, 'On the State of Enterprise Security,' conducted in January 2010, revealed
that Indian enterprises suffered an average revenue loss of Rs 5.8 million due to cyber attacks by
elusive hackers in 2009. "Each attack had a financial impact on enterprises, besides loss of
customer trust and damage to reputation. About 90% of enterprises face a cost to prevent such
attacks and comply with regulations, because financial loss in productivity was on the average Rs
8.4 million in 2009."
The recently-held India Technology Leadership Summit 2009, organized by Securitybyte and OWASP,
also highlighted the apprehensions about information security in outsourcing. A panel consisting of
outsourcers, service providers and regulators, which was moderated by Prof Howard Schmidt, special
advisor on cyberspace security to the White House, debated the information security challenges
faced by Indian organizations. While our law and policy makers are yet to get out of their state of
confusion regarding national
cyber security challenges and the legal framework to deal with them, the DSCI (Data Security
Council of India—a self-regulated body of Nasscom), OWASP India and Securitybyte have already come
forward to help India strengthen its national cyber security capabilities by organizing effective
awareness and training programs around real-world cyber security challenges.
The fact that India is not prepared to handle national cyber security incidents is well-known, and
the issue has often been raised by both technology and legal experts. There are various government
agencies working onnational
cyber security initiatives, but the problem is that they all operate in silos. Though most of
these agencies share a common mission, they don't talk to each other or share information. This
leads to redundant efforts, and an ineffective use of budgets. To top it, there are political and
bureaucratic hurdles which make these initiatives unproductive. "As the world gets closer and
critical infrastructure gets connected to the Internet, the threat from cyberspace increases,
making our infrastructure more vulnerable to cyber attacks. This poses a great challenge for India
which has the lowest rate of preparedness in national
cyber security measures for its infrastructure, both from the countering and disaster
management perspective," says Nish Bhalla, partner, Securitybyte, and director, OWASP Toronto,
Canada chapter.
One of the biggest reasons why India needs to be more prepared is the increasing number of cyber
attacks originating from its neighbors, especially China, targeted at India's sensitive critical
infrastructure. Security researchers from around the world have often mentioned India as being the
most vulnerable in the region, maybe because its growing economic strength is being seen as a
threat by some countries. Says Greg Walton, one of the researchers at The Citizen Lab, University
of Toronto, "If you look at the statistics of the institutions or the targets that were attacked by
GhostNet when it attacked global systems, India was by far the hardest hit. India is a software
superpower, yet for some reason the country can't seem to get its national
cyber security act together."
Enhancing our national
cyber security is imperative for the growth, continuity and protection of our businesses,
government and citizens. Unless the Indian government takes it seriously, initiatives in this space
will never find their way to success. Security is a need, not an expense, and needs to be treated
accordingly.
There can be no control or enforcement without an effective governance framework, and the creation
of one is crucial in today's scenario. This framework should define the private-public partnership,
their roles and responsibilities relating to national cyber security, and the interaction between
them. Most of India's IT expertise lies in the private sector, hence a collaborative approach can
help to achieve the desired state of enhanced national cyber security capabilities.
About the author: Puneet Mehta is the co-chair of OWASP India, as well as the
co-founder and director of OWASP's Delhi Chapter. Mehta is a frequent contributor to TechTarget. He
has authored many articles, as well as been quoted in national and international media. Mehta's
focus areas include information security, risk management and vulnerability research.