Public-private partnership key to build fool-proof cybersecurity ecosystem
No single institution or sector has the knowledge, experience, resources and other capabilities to tackle cybersecurity threats and create resilient cybersecurity infrastructure. Cyber threat intelligence sharing and collaboration in exchanging expertise and perspective between public and private institutions are important for an overall win-win situation for both. Partnership with knowledgeable individuals is also important. 'War is too important to be left to the generals' similarly, cybersecurity is very important and everybody should be involved in it, not only the government
The governance of cyber security risks is important to the security of the nation. These risks are characterised by uncertainty. PPP is an answer to this challenge by enhancing flexibility and robustness. Involvement of people in the country's growth process including cyber security is desirable. Government can utilise the expertise and experience available in the public and private sectors to build a safe cyberspace. For achieving cybersecurity, coordination, cooperation and collaboration among all stakeholders is required. Cybersecurity is a joint responsibility that requires a trusted relationship between public and private organisations. By breaking the barriers between public and private entities, significant results can be achieved in mitigating cybersecurity threats. This partnership between government and industry helps for exchanging information about security threats and vulnerabilities which will improve the ability to manage the security risks.
1. National perspective
The National Security Council Secretariat (NSCS), Government of India plays a pivotal role in defining policy and strategy for cyber security.
India is one among the top three countries that is attacked on its cyberspace from external sources as well as internal. Government, vital sectors as well as individuals are vulnerable to these cyber attacks. Digital is a new horizontal (like finance) and whatever malicious happens in the digital sphere, it affects the bulk of the environment. So, all of us have to take interest in cybersecurity.
Skills set to face cyber attacks are not uniformly distributed. Compared to government organisations, the private sector is better placed in this regard but not all private sector organisations. Banking sector has developed these skills over a period of time similarly, the telecom sector. Power sector also has started acquiring these skills.
The perspectives of the private sector and government are different with regards to cybersecurity. Private sector focuses on protecting its business interests and reputation whereas the government will have a national perspective.
For the digital technology to proliferate, people should have trust in cyber systems before they are onboarded and start using digital services in a big way.
As it is not possible for individual organisations to do everything on their own with regard to cyber security, all the organisations should work together.
Public private partnership is required in the following for mitigating cyber threats:
1.1 Capacity building
Awareness on Cyber hygiene has to be increased to reduce the scope for phishing attacks which are important vectors for intrusion into systems. Private sector has a very big role to play in this area. Cyber Swachhata Kendra is the initiative of the government to create a secure cyberspace by detecting botnet infections, notifying them and enabling cleaning to prevent further infections. This operates in coordination with ISPs and product/ antivirus companies.
Cybersecurity awareness programmes can be conducted with the support from the government. Cybersecurity can be included in the curriculum in computer courses to increase awareness and for Capacity Building. Right persons should be posted in cybersecurity jobs. The type of drive that happened for training persons to face Y2K problems should happen for cyber security also. CISO (Cyber Information and Security Officer) should bring in the required technology, put in place the necessary process and make available the required budget for cybersecurity. He should build a team to act on the inputs of CERT- IN (The Indian Computer Emergency Response Team).
The industry, government and academia should develop a cybersecurity course curriculum and put in place delivery mechanisms. Of late multiple organisations have come up for capacity building in cybersecurity. Some of them are:
Cyber Surakshit Bharath: This initiative was conceptualised with the mission to spread awareness about cyber crime and build capacities of CISO and front line IT officials. CISO training is the first of its kind partnership between government and industry under the PPP model. For this training MEITY (Ministry of Electronics and Information Technology) provides logistic support. Partners from Industry are Microsoft, IBM etc. and knowledge partners from government are CERT-IN, CDAC etc.
NASSCOM: The National Association of Software and Service Companies is an Indian non-governmental trade association and advocacy group. It is a skill forum and is building up Cybersecurity professionals. They prepare curriculum and conduct training programmes in cybersecurity.
Project Cyber Siksha: Microsoft and Data Security Council of India (DSCI) with support from ISEA (Information Security Education & Awareness), an initiative of MEITY, have launched Project Cyber Siksha for skilling women engineering graduates in cybersecurity.
1.2 Research, development and engineering
There is a product requirement at national scale as the government has to monitor cyber network traffic, get insights into the traffic patterns, look at the threats, conduct predictive analysis and give warnings to different sectors. Indian industry can conduct research and develop these products.
1.3 Regulation and legal framework
As multiple stakeholders get affected, the government can't in isolation work out regulation and legal framework. Wide ranging consultations should take place with all the stakeholders to decide what is good for all.
1.4 Standards development in cybersecurity
India should increase its participation in the international forums for the standards development. Continuous engagement of the experts in standard development is very much required. Small scale enterprises may have expertise in this area but they may lack finance to send their experts regularly to these forums for participation. Government should sponsor such cases. Government, industry and academia should work together in this area.
1.5 Information sharing
Information Sharing and Analysis Centre (ISAC) provides a central resource for gathering information on cyber crimes and also sharing of information between private and public sector about root causes, incidents and threats. Experience, knowledge and analysis on cybersecurity are also shared. IDRBT (Institute for Development and Research in Banking Technology) at Hyderabad under RBI functions as ISAC for Banking and Finance Sector. Similar ISACs are required to be established for all other sectors.
If any organisation's cyber system is attacked and if there is malware infestation, the information should be shared across the industry.
The National Malware Repository (NMR) will be inaugurated soon. It will have over 95 million samples of malware that will act as a reference database for the companies looking to build cybersecurity products. Government, industry and academia should collaborate on this platform. They can access the NMR for conducting research and coming up with mitigation solutions.
1.6 Cyber crime
Private sector has developed a lot of infrastructure in cybersecurity in terms of probes and deployment of fire walls. They have a lot of insights and can give pointers but they don't have the legal authority to prosecute the perpetrators. Here cooperation between the private sector and government is required.
I4C: Indian Cyber Crime Coordination Centre has been established under MHA (Ministry of Home Affairs) to act as a nodal point to fight against cyber crime. It brings together academia, industry, public and government in prevention, detection, investigation and prosecution of cybercrimes. I4C has envisaged the Cyber Crime volunteers programme to bring together citizens who want to contribute in the fight against cyber crime.
Digital Crime Unit of Microsoft: This Microsoft sponsored team of international legal and internet experts employs the latest tools and technologies to stop cyber crime/threats. It has offices in important cities in the world including Delhi. It works closely with the local law enforcement to ensure that the perpetrators are punished.
National cybersecurity strategy: The national cybersecurity Strategy was conceptualised by the DSCI in 2020. Increase in the number of cyber attacks, critical infrastructure getting digitised have necessitated the formulation of this strategy. Wide ranging consultations have taken place for preparing this document and it is in its final stage. Public private partnership is envisaged in this document.
2. Role of CERT-IN in public private collaboration of cybersecurity
CERT-IN plays a vital role in strengthening the cybersecurity of our country. It acts as national agency for performing:
a. Collection, analysis and dissemination of information on cyber incidents
b. Forecast cybersecurity incidents
c. Emergency measures for handling cybersecurity incidents
d. Coordination of cyber incidents, response activities
e. Issue guidelines relating to cybersecurity practices, procedures, prevention, response and reporting of cyber incidents
f. CERT interacts with internet registry and Domain Registrars, industry, vendors, academia, R&D organisations, security and Law Enforcement agencies, individuals or groups of individuals, International CERTS and expert groups. It conducts cybersecurity exercises and drills of technical, tactical and strategic nature for trust building, joint response and prevention. It carries cyber security audits and vulnerability Landscape Mapping.
Way forward
Government is involved in making cyber laws and the private sector is involved in creating technology and this can't be seen in an isolated manner. That's why the PPP model is important. In the process of implementing PPP in cybersecurity, the state shifts the focus from control function to coordinating and monitoring the security tasks of the private partner. No single institution or sector has the knowledge, experience, resources and other capabilities to tackle cybersecurity threats and create resilient cybersecurity infrastructure. Cyber threat intelligence sharing and collaboration in exchanging expertise and perspective between public and private institutions are important for an overall win-win situation for both. Partnership with knowledgeable individuals is also important. 'War is too important to be left to the generals' similarly, cybersecurity is very important and everybody should be involved in it, not only the government.
(The author is a former Advisor, Department of Telecommunications (DoT), Government of India)
Gloss