Digital India’ Needs To Be Cybersecurity Ready

While the details of a computer breach that compromised 3.2 million Indian debit cards are feeding the frenzy, a trained security professional remains more concerned about the incidents that pass below the radar.

The technology industry silently suffers from the agony of knowing that a majority of the cyber attacks would go unnoticed. Any connected society is perpetually at war now – waged by the faceless hacker, conspicuous yet paradoxically absent, who understands that the denial or access to information can break nations and economies.

In the last two months itself, I have tracked computer intrusions that threatened fair elections in a democracy, pilfered classified documents from a defence contractor with connections to India, undermined the civil liberties of individuals globally and hampered the growth of promising Indian startups. The laundry list simply too long, but the gist is clear.

The hacker here is, what the conventional strategic theorists term, an asymmetric threat. To put it simply, a bunch of motivated actors with an internet connection can completely neutralise the defences of a nation, by poisoning its most essential resource, information. The scales of this online conflict are so misaligned that government organisations still make the mistake of assuming that force, deterrence or legality have some kind of importance in cyberspace.

Sometime ago, I assisted Melissa Hathaway, who was a cybersecurity advisor to Obama and Bush, in preparing a Cyber Readiness Index for India. The report, which would soon be released to the public, undertakes the complex job of calculating the resiliency of Indian cyberspace, that should now be seen as an extension of its sovereign territory. It states that India faces a herculean task of improving upon all markers of its cyber health like national strategy, incident response, e-crime and law enforcement, information sharing, investment in R&D, diplomacy and trade, and defence crisis and response.

Yet, an important takeaway gleaned from comparing India’s Cyber Readiness Index with that of other nations is that the underlying challenges and opportunities remain pretty much the same, regardless of the levels of their economic advancement. Ill developed technology, oddly, even in this case, acts as the great global equaliser.

The one tenet which should be enshrined in the charter of ‘Digital India’ is that sharing is caring. The internet is going to remain shaky for the coming many decades as its foundational mechanisms were engineered for efficiency, not security. Its each and every communication interface, operating in a logical silo, requires an additional layer of oversight and monitoring. This fragmentation, also affecting cybersecurity products, still impedes fully reflexive defence.

So countries like the US have institutionalised open and collaborative frameworks to share cyber threat intelligence across organisations in an automated way. They allow indicators of suspicious activity to be disseminated within a matter of seconds, allowing the participating entities to build dynamic defences. The relayed intelligence only comprises of privileged technical metadata, devoid of any personal information.

Another logic which drives this concept is that a typical cyber attack generally exploits similar infrastructure and entities within different organisations. The inter-dependencies between them also become the blind spots for security. The breach of Indian debit cards is a perfect case in point, where, possibly, a single strain of malware affected multiple banks or one of their exchange points.

While the vantage point of each bank was shallow, sectoral collaboration might have helped in stopping the leak sooner.

In any case, this idea is way better than the older alternative of monitoring internet traffic at key gateways that rightfully became a rallying cry for the privacy activists.

While India has shown considerable interest in the sharing of such standards, evident from the second Indo-US Cyber Dialogue held in October, the focus should mainly be inward [Indian domestic affairs]. A relentless engagement at the policy, regulatory and technological levels – to nurture a synergistic, multi-stakeholder arrangement covering the private and public sectors – could be the possible next step. The National Cyber Coordination Centre led by nation’s first cybersecurity chief, Dr. Gulshan Rai, could become its agency.

The Reserve Bank of India recently appointed its first information security officer and has already formalised a sectoral sharing interface called Indian Banks – Centre for Analysis of Risks and Threats (IB-CART). The irony being that while the financial services sector in the US commendably spearheaded the adoption of sharing standards, the IB-CART still disseminates the intelligence manually.

Cyber investigators, like their traditional counterparts, have always followed the money. Online heists carry much more potency and visibility when its sensational details become public, so this may be an apt juncture to spawn a nationwide movement encouraging cyber resilience. Cyber Readiness should also join the list of India’s primary social development indices, permanently engraving it in our national ethos.