To mark World Password Day, MediaNama reached out to leading cybersecurity practitioners and policy experts to get their thoughts on what ought to be improved in India from a cybersecurity governance perspective. Most experts agreed that we need robust information sharing mechanisms between government and private entities, and greater incentives for the private sector to participate in government contracts.

Information sharing between governments and private entities is essential

  1. Implement robust and structured information sharing mechanisms between government and private entities: “COVID-19 has drawn our attention to newer fault lines in the cyber risk vectors that surround us. … From a cybersecurity governance perspective, this warrants a more structured information sharing mechanism between governments and private entities. The scope of this information sharing must be wide, encompassing threat information, incident reporting, vulnerability or audit notes along with other best practices. The new Cybersecurity Strategy 2020 can address this through the creation of sector coordinating councils akin to Information Sharing and Analysis Centres (ISACs) in United States and Europe. They can facilitate early warning systems and crisis management, especially for the designated critical information sectors (such as BFSI, power, etc.), amid business continuity challenges that engulf us during emergencies.” — Subhodeep Jash, Senior Consultant – Strategic Communications, FTI Consulting
  2. Coordinated vulnerability disclosure programmes: “Towards strengthening cyber security, India should seek to improve the processes for disclosing security vulnerabilities to Government entities. We have identified key steps that can be taken towards this end.” — Arindrajit Basu, Research Manager, Centre for Internet and Society
    A cybersecurity expert, on the condition of anonymity pointed out, that “Besides RVDP [Responsible Vulnerability Disclosure Program] by NCIIPC, there is no serious focus towards crowdsource vulnerability disclosures.”
  3. Create regulation to handle data breaches and accountability for them: “[P]rivacy, or the lack thereof, is at the crux of many of them [factors that affect cybersecurity governance]. Whether it’s the way in which we handle data breaches where user’s information is stolen or the way we collect, store and sell our user’s data — the lack of regulation and accountability creates an environment where investing in security is nothing more than an afterthought or an inconvenience. Every day we see data and passwords being sold on the Darkweb that belong to some of the largest Indian businesses and start-ups. At the same time, the CEO of that start-up or business denies that a data breach ever happened and things blow over. Until we the people value our own privacy and in-turn force our regulators, apps, start-ups and businesses to value our information, progress in cyber security will continue to be motivated by PR rather than protecting our users.” — Yash Kadakia, Chief Technology Officer, Security Brigade InfoSec Pvt Ltd
  4. Empower the office of National Cyber Security Coordinator: “There is also a need for better coordination between various agencies and departments that are tasked with maintaining and securing India’s cybersecurity. The offices of the National Cyber Security Coordinator in the National Security Council Secretariat should be provided with a lot more resources and additional relevant expertise and should be the nodal point for all cybersecurity-related activities in the country.” — Sarvjeet Singh, Executive Director, Centre for Communication and Governance (NLU-Delhi)
  5. Develop attribution capabilities through multi-stakeholder collaboration: “India has yet to publicly attribute a cyber attack. Publication of the attribution process is imperative as it furthers public credibility in the investigating authorities; enables information exchange among security researchers across the globe  and fosters deterrence by applying political pressure on the  adversary and potential adversaries. I have recommended that this process be through multi-stakeholder collaboration, that the standards of attribution need to demonstrate compliance both with the evidentiary requirements of Indian criminal law and the requirements in the International Law on State Responsibility, and that the attribution must be communicated to the adversary in a manner that does not risk military escalation.” — Arindrajit Basu, Research Manager, Centre for Internet and Society
  6. Participate in global debates on cyber norms formation and international law: “India needs to take a leadership position and play an active role in the various norms formation process at the multilateral and multistakeholder level. The Indian government should work along with the Non-Aligned Movement (NAM) and its 125 member states, and take an independent position that is neither aligned with the US lead western block or the Sino-Russian view. This also provides an opportunity for India along with other Global South countries to revive and reshape the NAM, which has lost relevance since the end of the cold war.” — Sarvjeet Singh, Executive Director, Centre for Communication and Governance (NLU-Delhi)
    • “With respect to norms development, we have argued that it will be important for India to clarify its understanding of the applicability of international law to cyber space at multilateral fora.” — Arindrajit Basu, Research Manager, Centre for Internet and Society
  7. Create laws to protect privacy and consumers: “Since we don’t have a personal data protection law, most of IT security policies can’t really be used to protect data or stop stolen data from being circulated. Add to this the usual intelligence organisations’ paranoia and being so far behind USA, Russia, China in our SIGINT capabilities, Indian citizens don’t have much recourse. … We need strong consumer protection laws around safety for people to conduct their business and personal activities online. All laws/security controls require a basis of identity and authentication. The moment it is a question about identity, Aadhaar comes into the picture. Since it is a product of the same mindset where a few centrally centrally what is good for others, it is something that will be misused, and middlemen will abuse the information asymmetry that comes with IT assets.” — Akash Mahajan, Director, Appsecco
  8. Mandate cybersecurity compliance in India: “Overall, from what I see, mostly cybersecurity in India is done for compliance purposes which means the organisations look for bare minimums. ‘What’s the minimum we need to do to clear a compliance requirement and that’s about it.’ This means that it is the least possible security and not maximum security in most places. Until we change this outlook and accept that future wars are not going to be air or water or land based but cyber wars, things will be grim.” — IT Expert on condition of anonymity
  9. Improve awareness of information security amongst government agencies: “I do believe that the media and PR teams of government bodies should be more educated about various technical terms used in infosec to avoid any misinterpretation. Also, basic training to generic government employees on how email, internet, browser, wi-fi, Google/WhatsApp work, and what information should be trusted should be given. I mention this because I have often seen electricity or bank employees say that since their Internet Explorer is not working, so there is no internet. They are not aware they could use Firefox or Chrome to test if the issue is with the application or the actual internet. Similarly, people believe that if they search for a query on Google, the first result is Google’s accurate response to the search query even when it can be fake news/SEO promoted result.” — Antriksh Shah, Director, Payatu Technologies

Build domestic cybersecurity capacity

  1. Policy mandates to amplify domestic demands: “Cybersecurity governance should amplify domestic demand for cybersecurity services with proactive application of policy mandates. For example, there are guidelines in place for vulnerability assessments. These guidelines should be enforced very strictly, with the same enthusiasm as when the government enforces income tax filings. This will boost demand, attract investments and give much needed support to the domestic cybersecurity industry. Not to mention, it will make the nation safer from a cybersecurity perspective.” — Bhaskar Medhi, Co-founder, Ziroh Labs
  2. Promote investment: “Once the new products and solutions arrive, what kind of ecosystem do you require in this country to make it enterprise and customer ready? For this, you need to have a good, comprehensive investment ecosystem to make those products commercially successful.” — Vinayak Godse, Vice President, Data Security Council of India (DSCI)
  3. Let start-ups participate in government contracts: “[T]here should be policy frameworks to help Indian start-ups to participate in government contracts. I will go out and even request private sector CISOs to prioritise Indian cybersecurity technology and services. The most valuable help to a fledgling ecosystem is to enable deployment opportunities in real-life scenarios. Simply put, it’s Buy Indian.” — Bhaskar Medhi, Co-founder, Ziroh Labs
    • Proof of concept ooportunities: “Government should definitely work with Indian infosec start-ups and give them POC [proof of concept] opportunities. There are many amazing Indian infosec companies. It is certain that if the government offers them opportunities to submit POCs wherever possible on their existing infrastructure (not necessarily critical infrastructure), it would benefit the entire ecosystem — the government will be protected from attacks, and vendors will get a chance to improve/validate their product.” — Antriksh Shah, Director, Payatu Technologies
  4. Design lucrative bug bounty programmes: “India is the biggest hub for bug bounty hunters worldwide. The government should take this opportunity to have bug bounty programmes for various government department websites/applications, etc. Government of the Netherlands and the US Department of Defense have public bug bounty programmes which are very welcomed by the community.” — Antriksh Shah, Director, Payatu Technologies
  5. Identify supply chains as critical for cybersecurity: “Increasing reliance on digital ecosystems, spurred by incidents such as the ongoing Covid-19 crisis, also shows an urgent need to ramp up in-house cybersecurity expertise and efforts, particularly for essential supply chains.” — Sarvjeet Singh, Executive Director, Centre for Communication and Governance (NLU-Delhi)
  6. Greater engagement between information security community and government: “Law enforcement agencies, state IT departments, etc. should definitely engage more actively with local infosec meet-ups such as Null, OWASP, HasGeek, etc. I am sure if the local police goes to these chapters and ask what solutions to use, experts will be happy to guide them for their problems. The chapters could design specific sessions for the government.” — Antriksh Shah, Director, Payatu Technologies
  7. Encourage research by “creating the cybersecurity capacity in the country, creating an environment to further cybersecurity innovation, and developing activities, and more importantly cybersecurity start-up activity in the country. We have been making a lot of effort to create an ecosystem looking at the use cases and looking at how these cases can be developed in a research ecosystem and an academic world, and even in a start-up ecosystem.” — Vinayak Godse, Vice President, DSCI

Data localisation will not help with cybersecurity

  1. Data localisation is not implementable: “Technologies such as AI, big data, IoT are going to be implemented in every discipline, in different ways that one cannot imagine it. Issues like cross border [flow of] information, data localisation and privacy will have a different meaning in light of these technologies. There are different security norms and practices in different countries and organisations. As a result, the filtering of the information is not done uniformly because of which a lot of data flows on the global network. I really cannot imagine in this era of global network, internet, AI and big data, how it is possible to localise the data or to to have interoperable, cross border information.” — Dr Gulshan Rai, former National Cyber Coordinator of India
    • Dependence on other nations for hardware and software: “Closing borders or asking organisations to keep data only in India is not the right approach until we have a self-sufficient ecosystem. Right now, we depend on other nations for both software and hardware. How can we then think of closing gates and still remain at the top of the game?” — IT Expert on condition of anonymity

Technical standards should be interoperable with global frameworks, reduce reliance on passwords

  1. Interoperability with international frameworks: “There are practices like ISO 27000:1 and some others which are prescribed by bodies like the CERT and NCIIPC for the country. These practices are, no doubt, based on the international frameworks. However, there is a need to look at these practices from the point of view of their practical implementation and orientation, and their interoperability with the international frameworks.” — Dr Gulshan Rai, former National Cyber Coordinator of India
  2. Deal with APTs from a recovery perspective: “We need to address APT (Advanced Persistent Threats) in a better way. APT targets majorly governments , tries to steal data, bring down reputations and mess up operations. Indian organisations and Indian government are not fully equipped to counter APT attacks. We still rely on a defence level of mechanisms and these APT are super sophisticated attacks . We need to build systems or frameworks that work on the basis of detect, respond and recover. All we need is to look at this whole scene from a ‘We are attacked, let’s locate, detonate and clear the scene’ rather than looking at it as ‘Oh my god, we are attacked’.” — Shyam Sundar Ramaswami, Lead Security/Threat Researcher – Umbrella Research, Cisco
  3. Reduce reliance on user-dependant security through password-less processes: “User-dependent security sometimes creates a lot of problem because you rely on the user. For example, the OTP that we have in the country, where people have to take care of their own OTP, their own password, have a complex password, etc. In that case, what happens is there is too much dependence on the user in terms of maintaining the security of a particular transaction, and somehow that creates a big problem because the users are in a very different state of mind and sometimes even advanced users can fall prey to a phishing attack. So how can we create an ecosystem which allows the security innovations to flourish, which reduces the cognitive burden on users quite significantly?” — Vinayak Godse, Vice President, DSCI
    • Passwords are a data liability: “At its core, the underlying principle of password-less authentication is to eradicate the use of passwords and thereby drain their value for attackers. … Today, IT security is moving towards password-less authentication using advanced technologies like biometrics, PIN, and public/private key cryptography. Plus, new standards such as Web Authentication API (WebAuthN) and Fast Identity Online (FIDO2) are enabling password-less authentication across platforms. These standards are designed to replace passwords with biometrics and devices that people in your organisation already use, such as security keys, smartphones, fingerprint scanners, or webcams.” — Deepak Talwar, National Security Officer, Microsoft

Could a Zero Trust Model be the answer?

“Moving forward, just believing everything behind the corporate firewall is safe won’t be true. This will bring focus to adopt Zero Trust model that assumes breach and verifies each request as though it originates from an uncontrolled network. Zero Trusts core principle is: never trust anything, inside or outside of the corporate network will be followed exhaustively. Regardless of where the request originates or which resource it accesses, Zero Trust teaches us ‘never trust, always verify’. In a Zero Trust model, before granting access every request must be strongly authenticated, authorised within policy constraints, and inspected for anomalies. The system checks everything from the user’s identity to the application’s hosting environment to prevent a breach.” — Deepak Talwar, National Security Officer, Microsoft

But, an expert, on the condition of anonymity, pointed out, “Number of offices will get reduced and hence it’s going to be funny looking at how all organisations handle security since the assumption is that all that is inside is trusted and all that is outside is untrusted. This is where the latest buzz word Zero Trust computing comes in, but it’s not what most people portray it as. The general perception is that everything available publicly is a Zero Trust model. It has a part of it where exposing things to the public is needed but more so, we need robust environment practices to set up the environment that it doesn’t trust anyone and those practices are lacking most of the time.”

Correction (May 18, 2020 11:57 am): Subhodeep Jash’s name was misspelt. The error is regretted. Originally published on May 7, 2020 at 5:17 pm.