Dr Gulshan Rai
Director General, Department of Electronics & IT, Ministry of Communications & IT, Government of India
“We need to build an entire cyber ecosystem where we can conduct our online activities and transactions without any fear of the data getting leaked, tampered or misused.” says Dr Gulshan Rai
These days we are having lot of discussions on cyber security in the country. What is your vision for cyber security?
My vision for cyber security consists of safe and secure surfing by the citizens of this country. Our aim is to ensure that all cyber infrastructures in the country are fully secured and people are able to conduct their transactions in the cyber space with complete freedom of mind. We need to have a long term vision for security. What kind of systems are we going to have let’s say two or three years from today? It is today that we have to prepare ourselves for the future. We have to encourage more technology development in the country. We need to build an entire cyber ecosystem where we can conduct our online activities and transactions without any fear of the data getting leaked, tampered or misused.
That is the ultimate goal for which we are working. The technology in the cyberspace is changing at a very fast pace. So what steps are you taking to ensure that the technological systems being used to safeguard our cyber infrastructure is up to date?
As you have rightly put, the technology is changing very fast and the threat landscape is changing very fast. New hardware and software products are constantly entering the market. Today we have more than a billion phones in the market. Whenever a new phone or any other device comes into the market, it brings with it a new vulnerability aspect that needs to be attended to. The point is that the more technology evolves the more changes it brings to the security landscape. So the systems of security must also keep evolving with other aspects of security. This is a very dynamic threat landscape; it is a real challenge to address issues pertaining to cyber security in today’s dynamic world. We need to be very careful about the security related issues; we have to keep watch on the ways by which different technologies are evolving.
Is technology the only factor that needs to be looked into for protecting the cyber space? Because security can be jeopardized through physical means also.
Yes, the physical infrastructure must also be secured along with the cyber domain. We have to look at the technology and we also need to look at areas related to physical security, we have to take an overview of the various processes and systems, and we also need to look at the manpower that we have. After all, we are living in a world where there is seamless integration between the cyber systems and the physical systems. We can’t look at one, without taking an account the other.
Today we have technologies that make it possible for malicious individuals to fudge someone’s IP address. It is even possible to send SMS messages on behalf of someone else’s mobile phone number. In such a scenario it is possible that an innocent person can have his mobile or internet connection misused? What steps can be taken to ensure that the identification of the criminals is more secure?
You see, this is a major challenge. All the devices are not in our control. It is possible for malicious entities to get hold of a device make it function differently by rewriting its software, or uploading new software. In the end, this is only a question of changing few lines of the code, and you can make the device function in a different manner. It is a challenge to monitor a domain that is evolving and transforming so rapidly. Lot of technology developments have to be taken into account. Sharing of data is important. If the culprit knows that ultimately the cyber crime will be tracked back to him, no matter what technology he uses to hide his tracks, then he will think twice before committing an offence.
“Optimal security is a journey. Cyber security, in my opinion, is an endless journey”
Lot of malicious acts in the online space might also be happening because people who are active online do not know about all the laws or the code of conduct that must be observed online. So instead of only prosecuting the wrong doers, why don’t we join the Social Networks and provide guidance to all the Internet users?
The government has already pronounced a policy framework for engagement on the Social Networks. The framework is available on our website. The use of social media in our country is increasing day-by-day and I am sure that people will realize that this medium is meant to be used constructively and positively. Vast majority of the Social Networking users are not causing any harm to society, it is a very small section that is creating problems.
How do you rate the security system that is currently protecting the government data in the country?
The security system in the country is quite good. However, the technology is changing at a very fast pace. So the security system needs to be upgraded all the time. There is no destination for achievement of security. Optimal security is a journey. Cyber security, in my opinion, is an endless journey. It is often the case that the perpetrators are few steps advanced as compared to the people who are actually creating the entire cyber infrastructure. So we need to be mindful of the fact that security is an evolving concept and we need to be vigilant of all the threats that are there. If there is enough awareness about the security related issues amongst all the organisations, we will have no problems in protecting out systems and our data.
In most government departments we see reluctance to putting their data on the cloud, even though such a move can reduce cost of operations.
In cloud there are lot of issues. There are issues of security, there are issues of ownership, there are issues of jurisdiction. If you look at many of the Western countries, you will find that they don’t allow there sensitive data to be put on the cloud. In certain countries, they don’t allow users to use cloud that is being hosted in any other country. So my point is that the apprehensions that are being expressed regarding cloud are quite real. If the cloud is being hosted in a different country, at times we have no way of knowing who is doing what. Laws of what country will be applicable on the management of data that is being hosted on a particular cloud.
Some government departments that are handling sensitive data have taken the option of keeping their systems away from the Internet. But that is leading to a slowdown of their systems. Don’t you think that instead of cutting themselves always completely from the Internet, various departments should deploy better Firewalls and other safety measures?
As far as sensitive personal data is concerned, I would say that there is nothing better than isolation. The final decision should be left to the concerned departments. The departments should be left free to decide what strategy should be utilized to ensure complete safety of the critical data. However, I would like to add that today there is no option other than being connected to the Internet, either fully or partially. The technology penetration in our society is increasing on a daily basis.
You are performing a very difficult task of securing the vast infrastructure of cyber security in the country. Can you tell us about the challenges that you are facing?
This is a very challenging job. We need to be in touch with the technology, we need to be in touch with the all aspects of the security related issues. At the same time, we also need to realise that securing such a vast cyber domain cannot be the job of one person. You need to have a great team. There always is a shortage of manpower, but the manpower that is there should be rigorously trained, the manpower must be exposed to the threats and the new technologies. And it is also important that we act in a decentralised manner. All the threats that different organisations face cannot be handled by a single organisation. Different departments should have some basic training on the handing of security related issues. We have to provide all the facilities and the technologies that are required by different departments to handle the security related issues. The people who are manning the systems should be able to conduct forensics, detect the vulnerabilities and address them.