Rai on the Complexity of CybersecurityIndia's Cyber Co-ordinator Asks for a Multi-Stakeholder Approach to Governance
India's cybersecurity challenges are soaring, as the cyber world gets more complex with increasing interconnected devices that expose enterprise data to the external world. The complexity can only be resolved with a multi-stakeholder approach with the industry participating in building the wherewithal for a cybersecure ecosystem.
As India's cyber co-ordinator Dr. Gulshan Rai, the head of National Cyber Co-ordination Centre, says his job is increasingly complex, as it demands effective co-ordination with various stakeholders in evolving a cybersecurity framework.
Addressing the plenary session at ISMG's Data Breach Summit on India's cybersecurity challenges and lessons for security practitioners, Rai says, "The complexity is due to the increase in digital devices, which will exceed India's population, as we will see India having 20 billion - which will go up to 50 billion 2021, making our task of protecting the cyber ecosystem more complex."
Rai believes technology will help, but a collaborative approach with the industry coming together in a multi-stakeholder approach will be more helpful.
Industry leaders are cognizant of Rai's views as they consider cybersecurity a global phenomenon: It requires international cooperation to develop organizational policy and legal framework to represent itself from a position of strength and guard India's national security interests.
Delhi-based Dr. Siva Subramanian, global CISO, Bharti Airtel, states that establishing the National Cyber Co-ordination Centre under the PMO stands testimony to cybersecurity getting increasingly complex. It's akin to security gaining a seat at the business table or a seat at the board.
"The mere presence of NCCC signals the seriousness the nation places on cybersecurity; bringing different government bodies to consider security in their functioning and promoting the understanding of security among decision makers is a big deal," says Subramanian.
India's Cyber Security Challenges
Security leaders agree with Rai's view about living in a digital world with increasing threat challenges. In the past, there'd be a hue and cry in Parliament when the MS Dos platform failed and the entire government machinery came to a halt. "Today, we are talking about big data breach incidents where critical data is getting compromised and there are innumerable cases of phishing attacks," Rai says.
According to Rai, the country's challenges must be tackled with the right approach, including:
- Creating a regulation to address cybersecurity challenges at par with USA;
- Bringing ICT and security innovations in the country;
- Technological sprawl and solutions changing dynamically;
- Appropriate mitigating technologies.
Airtel's Subramanian finds a lack of mandated powers to enforce existing cybersecurity measures a shortcoming.
He argues that if more executory powers are included at this stage for practitioners, it will hamper consensus building and a wider understanding of the importance of cybersecurity.
"At this stage, the sheer presence of the outfit led by a widely respected and accepted cyber leader to form consensus among stakeholders is a great start; it was missing till now," Subramanian says.
How to Handle Growing Complexity
The foremost need is a collaborative approach. For this, Rai recommends a strong multi-stakeholder approach with participation from public and private players.
He says the line between the civilian and military approach to tackle crime is narrowing, as it's the system and processes that determine the right approach, not technology alone.
Some ways to help build a cybersecure process recommended by Rai are:
- Taking a multilateral approach. given that cybersecurity will be an important focus;
- Inviting private and public to support the R&D; the government will follow;
- Develop innovative methods of building the scale of security operations among enterprises.
Subramanian says the multi-stakeholder concept is a complex beast, and there is no single right or wrong model. The current approaches are in the right direction.
"The one area that requires a stronger impetus is the engagement of academia in this space," says Subramanian. "Stakeholders must provide students and researchers adequate exposure to real life scenarios to make their efforts very applied."
The government should drive cybersecurity as a discipline of study and research as a primary task immediately.
Subramanian says it should emulate the model followed in the early 1970s, when computer science was promoted under electrical engineering schools. This was a less known discipline then. Government support and growth of educational institutions created the IT boom that began as a trickle in the 1980s and propelled India into becoming an IT superpower.
Law experts say for an effective multi-stakeholder model, it's critical to ensure all significant regulations affecting the operation of public-private partnerships is clear, transparent and enforced. Red tape should be minimised and new and existing regulations carefully evaluated.
Mumbai-based Prashant Mali, attorney and president of CyberLaw Consulting says, "NCCC must be entrusted with clear mandates and sufficient resources to ensure a prudent procurement process and clear lines of accountability."
Mali says the government can take up these measures to ensure a cybersecure ecosystem. They include:
- Manage the Indian Government Network as a single network enterprise with Trusted Internet Connections;
- Connecting and increasing coordination between defence CERT's and CERT-IN which can be driven by NCCC policy;
- Cybersecurity education scholarships and funding for Ph.D. scholars for research in the field.
"The NCCC's positive gesture must percolate across enterprises," Subramanian says.