To mark World Password Day, MediaNama reached out to leading cybersecurity professionals and policy specialists to get their thoughts on what should be enhanced in India from a cybersecurity governance perspective. A lot of experts agreed that we require robust information sharing mechanisms in between government and private entities, and higher incentives for the private sector to participate in federal government agreements.
Details sharing between federal governments and private entities is vital
- Implement robust and structured information sharing systems between government and private entities: ” COVID-19 has drawn our attention to newer fault lines in the cyber risk vectors that surround us. … From a cybersecurity governance viewpoint, this warrants a more structured information sharing system between governments and private entities.– Subhodeep Jash, Senior Expert– Strategic Communications, FTI Consulting
- Collaborated vulnerability disclosure programs: ” Towards enhancing cyber security, India needs to look for to improve the procedures for disclosing security vulnerabilities to Government entities. We have actually identified crucial actions that can be taken towards this end.”– Arindrajit Basu, Research Study Supervisor, Centre for Internet and Society
A cybersecurity expert, on the condition of anonymity pointed out, that “Besides RVDP [Responsible Vulnerability Disclosure Program] by NCIIPC, there is no major focus towards crowdsource vulnerability disclosures.”
- Create policy to handle data breaches and responsibility for them: “[P] rivacy, or the absence thereof, is at the core of a number of them[factors that affect cybersecurity governance] Whether it’s the method which we handle data breaches where user’s info is taken or the way we gather, store and sell our user’s information– the absence of regulation and responsibility creates an environment where purchasing security is nothing more than an afterthought or a hassle. Every day we see data and passwords being sold on the Darkweb that come from a few of the largest Indian services and start-ups. At the same time, the CEO of that start-up or service rejects that a data breach ever happened and things blow over. Till we individuals value our own privacy and in-turn force our regulators, apps, start-ups and services to value our details, development in cyber security will continue to be encouraged by PR rather than securing our users.”– Yash Kadakia, Chief Technology Officer, Security Brigade InfoSec Pvt Ltd
- Empower the office of National Cyber Security Coordinator: ” There is likewise a requirement for much better coordination in between numerous agencies and departments that are tasked with preserving and securing India’s cybersecurity. The workplaces of the National Cyber Security Organizer in the National Security Council Secretariat need to be provided with a lot more resources and additional pertinent proficiency and need to be the nodal point for all cybersecurity-related activities in the nation.”– Sarvjeet Singh, Executive Director, Centre for Interaction and Governance (NLU-Delhi)
- Develop attribution capabilities through multi-stakeholder cooperation: “ India has yet to publicly attribute a cyber attack. Publication of the attribution procedure is necessary as it advances public credibility in the examining authorities; allows info exchange among security researchers across the globe and cultivates deterrence by using political pressure on the adversary and prospective adversaries. I have recommended that this process be through multi-stakeholder cooperation, that the requirements of attribution need to show compliance both with the evidentiary requirements of Indian criminal law and the requirements in the International Law on State Duty, and that the attribution should be interacted to the foe in a way that does not run the risk of military escalation.”– Arindrajit Basu, Research Supervisor, Centre for Internet and Society
- Take part in global arguments on cyber norms development and worldwide law: ” India requires to take a leadership position and play an active function in the different standards formation process at the multilateral and multistakeholder level. The Indian federal government should work along with the Non-Aligned Movement (NAM) and its 125 member states, and take an independent position that is neither aligned with the US lead western block or the Sino-Russian view.
- ” With regard to standards advancement, we have argued that it will be very important for India to clarify its understanding of the applicability of international law to cyber area at multilateral online forum.”– Arindrajit Basu, Research Supervisor, Centre for Internet and Society
- Develop laws to safeguard personal privacy and customers: “Since we don’t have an individual data security law, the majority of IT security policies can’t truly be utilized to secure data or stop stolen data from being distributed. Add to this the typical intelligence organisations’ paranoia and being so far behind USA, Russia, China in our SIGINT capabilities, Indian citizens do not have much recourse. … We need strong consumer defense laws around safety for individuals to conduct their organisation and personal activities online. All laws/security controls require a basis of identity and authentication. The moment it is a concern about identity, Aadhaar comes into the image. Given that it is an item of the exact same frame of mind where a couple of centrally what is good for others, it is something that will be misused, and middlemen will abuse the details asymmetry that comes with IT possessions.” — Akash Mahajan, Director, Appsecco
- Mandate cybersecurity compliance in India: ” Total, from what I see, mostly cybersecurity in India is provided for compliance purposes which implies the organisations try to find bare minimums. ‘What’s the minimum we require to do to clear a compliance requirement which’s about it.’ This suggests that it is the least possible security and not optimal security in many locations. Up until we alter this outlook and accept that future wars are not going to be air or water or land based but cyber wars, things will be grim.”– IT Professional on condition of privacy
- Enhance awareness of details security among government companies: ” I do think that the media and PR groups of government bodies should be more informed about different technical terms used in infosec to prevent any misinterpretation. Fundamental training to generic federal government staff members on how e-mail, web, web browser, wi-fi, Google/WhatsApp work, and what details should be relied on need to be offered.– Antriksh Shah, Director, Payatu Technologies
Construct domestic cybersecurity capacity
- Policy requireds to magnify domestic needs: ” Cybersecurity governance ought to amplify domestic demand for cybersecurity services with proactive application of policy mandates. These standards should be enforced really strictly, with the same enthusiasm as when the government implements earnings tax filings.– Bhaskar Medhi, Co-founder, Ziroh Labs
- Promote financial investment: “As soon as the brand-new items and options arrive, what type of ecosystem do you require in this country to make it enterprise and client ready? For this, you require to have a great, comprehensive financial investment environment to make those products commercially effective.”– Vinayak Godse, Vice President, Data Security Council of India (DSCI)
- Let start-ups take part in federal government agreements: “[T] here must be policy frameworks to help Indian start-ups to take part in federal government contracts. I will go out and even request private sector CISOs to prioritise Indian cybersecurity technology and services. The most valuable aid to a fledgling environment is to enable deployment opportunities in real-life situations. Basically, it’s Buy Indian“– Bhaskar Medhi, Co-founder, Ziroh Labs.
- Evidence of concept ooportunities: ” Federal government needs to absolutely work with Indian infosec start-ups and provide them POC [proof of concept] chances.– Antriksh Shah, Director, Payatu Technologies
- Style financially rewarding bug bounty programmes: ” India is the most significant hub for bug bounty hunters worldwide.– Antriksh Shah, Director, Payatu Technologies
- Identify supply chains as important for cybersecurity: “ Increasing reliance on digital ecosystems, stimulated by events such as the continuous Covid-19 crisis, likewise reveals an immediate requirement to increase internal cybersecurity expertise and efforts, especially for vital supply chains.”– Sarvjeet Singh, Executive Director, Centre for Interaction and Governance (NLU-Delhi)
- Greater engagement in between info security neighborhood and government: ” Law enforcement companies, state IT departments, and so on ought to certainly engage more actively with local infosec meet-ups such as Null, OWASP, HasGeek, etc.– Antriksh Shah, Director, Payatu Technologies
- Motivate research study by ” developing the cybersecurity capability in the nation, developing an environment to further cybersecurity innovation, and developing activities, and more significantly cybersecurity start-up activity in the nation. We have been making a great deal of effort to develop an ecosystem looking at the usage cases and taking a look at how these cases can be developed in a research community and a scholastic world, and even in a start-up ecosystem.”– Vinayak Godse, Vice President, DSCI
Data localisation will not help with cybersecurity
- Data localisation is not implementable: “Technologies such as AI, huge data, IoT are going to be implemented in every discipline, in various ways that one can not envision it. Problems like cross border [flow of] information, information localisation and privacy will have a various significance due to these innovations. There are different security standards and practices in different countries and organisations. As a result, the filtering of the info is refrained from doing evenly since of which a lot of information streams on the international network. I really can not imagine in this age of international network, web, AI and big data, how it is possible to localise the information or to have interoperable, cross border info.”– Dr Gulshan Rai, previous National Cyber Planner of India.
- Reliance on other nations for software and hardware: “Closing borders or asking organisations to keep data just in India is not the best technique until we have a self-sufficient ecosystem. Now, we depend on other nations for both software application and hardware. How can we then think of closing gates and still stay at the top of the game?”– IT Professional on condition of privacy
Technical standards must be interoperable with international frameworks, lower dependence on passwords
- Interoperability with global frameworks: “There are practices like ISO 27000:1 and some others which are recommended by bodies like the CERT and NCIIPC for the country.– Dr Gulshan Rai, previous National Cyber Coordinator of India
- Deal with APTs from a healing perspective: ” We need to deal with APT (Advanced Persistent Risks) in a much better method. APT targets majorly governments, attempts to steal information, bring down credibilities and ruin operations. Indian organisations and Indian federal government are not totally equipped to counter APT attacks. We still rely on a defence level of systems and these APT are very sophisticated attacks. We need to construct systems or structures that work on the basis of detect, react and recuperate. All we require is to take a look at this entire scene from a ‘We are attacked, let’s locate, detonate and clear the scene’ instead of looking at it as ‘Oh my god, we are attacked’.”– Shyam Sundar Ramaswami, Lead Security/Threat Researcher– Umbrella Research Study, Cisco
- Decrease reliance on user-dependant security through password-less processes: ” User-dependent security sometimes develops a great deal of issue since you rely on the user. For example, the OTP that we have in the country, where people need to look after their own OTP, their own password, have a complex password, and so on. Because case, what happens is there is too much dependence on the user in regards to maintaining the security of a specific deal, and in some way that produces a huge issue because the users remain in a really different mindset and in some cases even innovative users can fall prey to a phishing attack. So how can we produce an ecosystem which allows the security developments to flourish, which decreases the cognitive concern on users quite significantly?”– Vinayak Godse, Vice President, DSCI.
- Passwords are an information liability: ” At its core, the underlying principle of password-less authentication is to eradicate using passwords and therefore drain their value for aggressors. … Today, IT security is moving towards password-less authentication using sophisticated innovations like biometrics, PIN, and public/private crucial cryptography. Plus, new standards such as Web Authentication API (WebAuthN) and Fast Identity Online (FIDO2) are making it possible for password-less authentication across platforms. These standards are designed to change passwords with biometrics and devices that individuals in your organisation currently utilize, such as security secrets, smartphones, finger print scanners, or web cams.”– Deepak Talwar, National Gatekeeper, Microsoft
Could a Zero Trust Model be the response?
” Moving forward, simply believing whatever behind the corporate firewall program is safe will not hold true. This will bring focus to embrace Absolutely no Trust design that assumes breach and verifies each demand as though it stems from an unchecked network. No Trusts core concept is: never trust anything, inside or outside of the business network will be followed extensively. Despite where the request stems or which resource it accesses, Zero Trust teaches us ‘never trust, constantly confirm’. In a No Trust design, before giving access every demand need to be strongly authenticated, authorised within policy restrictions, and inspected for anomalies. The system checks whatever from the user’s identity to the application’s hosting environment to avoid a breach.”– Deepak Talwar, National Security Officer, Microsoft
But, a professional, on the condition of privacy, mentioned, “Number of offices will get minimized and hence it’s going to be amusing looking at how all organisations manage security considering that the presumption is that all that is inside is trusted and all that is outside is untrusted. This is where the latest buzz word Absolutely no Trust computing comes in, but it’s not what many people represent it as. The basic perception is that whatever available openly is a Zero Trust model. It has a part of it where exposing things to the public is needed but more so, we need robust environment practices to establish the environment that it does not trust anybody and those practices are lacking the majority of the time.”
Correction (May 18, 2020 11: 57 am): Subhodeep Jash’s name was misspelt.