India’s Cybersecurity Challenge
India has a big job on its hands as it tries to drive a culture of cybersecurity through a country of 1.2 billion people. Danny Bradbury reports on its progress
In 1947, on opposite sides of the globe, two things were born. One was very large, and one was exceedingly small. Modern India came into being, after the signing of the Indian Independence Act by the British. Meanwhile, in a California laboratory, William Shockley and his colleagues invented the first transistor.
Over the next 60 years, the two would develop together in a way that no-one could have imagined. The transistor would become so small that 2.5 billion of them would fit on a chip. India’s economy would balloon to be the third largest in the world (by OECD measurements) – and technology would be one of its driving forces. Now, India can no longer ignore its IT security responsibilities. The country, which recently launched its own cybersecurity policy, is taking steps to establish its credentials as a secure place for data to be stored and processed.
Technology is a fast-growing phenomenon in India. It has a maturing outsourcing segment that indigenous IT industry body NASSCOM says topped $100 billion in total revenues in 2012. Consumer-focused IT, however, is less prevalent. The consulting firm McKinsey says the Indian e-commerce market has grown an average of one-third each year since 2005. It will reach $2 billion in revenue by 2015, at which point India will have 38 million active online shoppers. Compared to the US, these numbers are minuscule, but it shows promise for the Indian market.
“India is in a unique situation. They have a lot of highly educated people in the country but also large parts of the country that are still developing, creating a low penetration rate for the internet”, says Karl Rauscher, CTO of the EastWest Institute, a global think-tank that focuses on challenges to world peace. “Yet they are also a contributor. They are one of the largest software producers in the world.”
This contrast begs the question: as India’s IT status grows, is its cybersecurity keeping up with growth in the IT sector?
India is waking up to cybersecurity, observes Naveen Hegde, research manager for Asia-Pacific software at IDC, the IT analyst firm. Nonetheless, cybersecurity initiatives have largely been reactive, with modest acceptance. “Security is still a check-the-box exercise for many organizations, with spending limited to whatever is needed to survive compliance audits”, he warns.
There is lots of room for growth as Indian organizations begin to acknowledge the need for better cybersecurity. PricewaterhouseCoopers says the information security market in India will grow by 18% this year, adding that regulatory compliance is a key driver.
Anand Naik, managing director of sales for India at Symantec, agrees that regulators are pushing the issue. “This is a fast-developing market, with regulators in industries such as telecommunications, BFSI (banking, financial services and insurance) and government taking significant steps in building awareness and creating frameworks or mandates that encourage organizations to follow best practices”, he says.
Making it Official
India has come some way toward implementing security regulations in specific verticals, along with a couple of key regulations across the board. The watershed regulation was the IT Act 2008. This amended an original 2000 Act, adding specific information security and privacy measures. It also labeled cybercrime a punishable offense under the Indian Penal Code.
In 2011, the Reserve Bank of India (RBI) introduced a set of recommendations, including the formation of separate information security groups within banks. The recommendations also suggest banks maintain adequate resources proportional to their size and scope of operation. It clearly pointed to financial institutions as ultimately responsible for their own information security, and advocated for CISO positions within each.
Most recently, India’s new national cybersecurity policy set out plans for an effective IT security framework throughout the country, and includes several priorities. A 24/7 mechanism for cybersecurity emergency response is among these, creating situational awareness regarding threats to information and communications technology (ICT) infrastructure. The policy also promises a legal framework for safe operations in cyberspace.
IDC’s Hegde says that the policy focuses not just on government entities and big business, but on home users too. “It aims to create a secure computing environment, and build capacities to strengthen the current setup with focus on manpower training”, he observes.
One hope is that the new national policy will help protect personal information during processing, handling, and storage. “The policy clearly says that the issue of cybersecurity needs to move beyond traditional technological measures such as anti-virus and firewalls”, Hegde explains. “This will certainly drive demand for more advanced security solutions, and will create more infosecurity professionals.”
The country is preparing to train a lot more of these professionals. National Security Adviser, Shivshankar Menon, said last year there was a “critical shortage” of cybersecurity professionals. Menon unveiled a report from a joint working group exploring public–private partnerships on cybersecurity. It recommended establishing a competency framework for cybersecurity skills, including a set of certification schemes.
Kamlesh Bajaj, head of the Data Security Council of India, announced last October that it would train half a million cybersecurity experts in the next five years. As part of the initiative, an Institute of Cyber Security Professionals of India would be created for security testing and auditing, and police would also be trained in cybercrime investigations.
Some 10,000 of these experts are likely to come from a partnership between the EC-Council, which runs the Certified Ethical Hacker program, and the Institute of Advanced Network Technology, a for-profit organization involved in Indian IT training.
These private–public partnerships will become increasingly important in combating cybercrime, because security advocates need industry on board. For many businesses, funding security efforts can be a problem, even if the will is there. Deepak Rout, who was the chief security advisor and director of privacy at Microsoft India until summer 2012, predicts that 60% or more of tier-one companies will already employ a CISO, if their sector is heavily regulated. There are many sectors that are critical to the country that don’t have regulations, he adds, including manufacturing.
Even for companies that have been told to tighten up security, it can be hard to find the wherewithal to execute. “That monitoring and testing ability is a critical requirement for cybersecurity, and telecom providers need a competent security operations center to have adequate security visibility”, Rout explains.
For second- and third-tier companies, pushing security through is a struggle. “Huge investments are essential to develop adequate security oversight capacity and may not always be viable from a business perspective”, he argues.
In fact, putting regulations into practice is one of the biggest challenges facing Indian authorities. Rout gives the RBI guidelines as an example. “It is world-class, but there’s a big gap between adoption in letter, and [in] spirit. To enforce, it requires a large body of auditors to validate.”
The other issue is the fragmented approach to cybersecurity. Aside from industry and central government, there is another stakeholder in Indian cybersecurity: local states. There are 28 of them, and seven union territories. Individual states in India have a large degree of control over localized cybersecurity efforts.
Eyes of the World
As India deals with these issues internally, the world’s eyes are upon it. As a major hub of IT and business process outsourcing, it must continue to be seen as a trustworthy destination for the world’s data. And yet, the nation has had its problems.
US authorities recently highlighted data breaches at EnStage and ElectraCard Services, operating in Bangalore and Pune. These two credit card processing companies were declared the weak links leading to a global banking heist that saw $45 million stolen from ATMs, according to Reuters. So, how safe is the West’s data in India?
IDC’s Hegde remains unfazed. Data breaches like these will happen, but they are also far more common in the US. Ultimately, the responsibility rests with the client that’s outsourcing its data processing, he says. “There is a need for stricter SLAs [service level agreements] between the Indian outsourcing firms and their international clients. Further, it’s essential that there is a regular audit of these SLAs”, he asserts.
While India continues to grapple with these domestic issues, it faces challenges on the world stage. The country is not a signatory of the European Convention on Cybercrime, even though many other non-European countries have jumped on board. Australia ratified and put the law into force this year, as did the Dominican Republic. Japan has enacted it, and both Canada and South Africa have signed it. The US has also ratified the agreement.
This absence disappoints Rauscher. “In the whole area of harmonizing legal frameworks, there’s really a missed opportunity in the fact that there’s a lack of co-ordination across borders”, he says. But there are signs that local Asian cybersecurity partnerships could be developing. At the Third International Summit on Cyber Security, held in New Delhi last year, the leaders of the Chinese and Indian Computer Emergency Readiness Teams (CERTs) agreed to cooperate with each other on fighting spam and botnets. “Recently, India has been identified as a top contributor of spam internationally, but what we have seen as a summit is that they have taken these messages very seriously”.
In the short term, India has much to do as it confronts the same cybersecurity issues faced by the rest of the world. The legislators are hard at work, but with an apparent disconnect between what happens on paper and what’s done in practice, it will take a cultural shift before it can steer itself into safe waters.
On the other hand, the nation’s attempts to bolster its cybersecurity expertise is admirable, especially given the already strong competition for IT staff in a growing Indian technology economy. Fortunately, the government is taking positive legislative measures to focus the lens on cybersecurity.