SecureIT 2014, in its fifth year,was held at Hotel Claridges, New Delhi on 14th March 2014. The event saw a gathering of security experts from the Government, Security Agencies, Corporates who deliberated on the various aspects of Cyber Security and Physical Security which are prevailing in the country and ways and means to counter them. A report…
Inaugural Session: Dimensions of National Security
Prakash Kumar, National Technology Officer, Microsoft India
I am sharing with you all a glimpse of the kind of threats we face and how do you take care of this scenario. Now let us talk first about the bad guys. By saying ‘Bad guys’ mean the hackers who are attacking computer systems worldwide. But who are they? They can be part of any country’s forces. They can be part of organized gangs. In fact they are organized like any other big company. For example I can mention that 15 million computers were affected by a particular botnet and they were controlling and passing 40 billion spam emails everyday during 2006-2011. This particular botnet was neutralized by Microsoft. There are also some groups who do this only for the sake of fun. So we have different kinds of people who are attacking our systems. In the Indian context, I can say that our country stands much higher than the world average in terms of cyber threat occurrences. Monitoring of systems, network and infrastructure, educating people, specially people working in the government departments, strong authentication are some of the important measures we advice.
Dr Ashwini Kumar Sharma, Managing Director, National Institute of Electronics and Information Technology (NIELIT)
The topic of securing IT infrastructure is the demand of time. Everyday technology is evolving and government is striving to promote citizen centric service delivery system with the help of ICT and e-Governance. In this scenario it is more important that we discuss about securing the IT infrastructure and cyber space.
Talking about cyber crime, we must remember that the cyber criminal activities are designed to accomplish tasks such as stealing intellectual property, secretly listening to government communication and targeting government’s national security related sites.
On the other hand advanced persistent threats are mainly applicable to the advanced countries. But slowly these advanced persistent threats are moving to other countries also. Therefore, we need to be very careful of these activities. Government, education, service, aerospace, financial security and telecommunication sectors are the major target areas for cyber attacks. We need to be more careful as we are on the verge of using extensively cloud technology.
We are thinking of following the secure activation design and malware detection procedure to counter the threats of cyber crime in this present age of fast changing technology.
Dr Shefali Dash, Director General, National Informatics Centre (NIC)
I would like to focus upon the need and challenges for cyber security. In the present times, we can see that cyber attackers are trying to break the defense and security system of a country by the way of cyber attacks, apart from general way of forces attacking a country with army or forces.
We all realize that nearly every aspect of citizens’ daily life has been considerably transformed by the Information Revolution. So, a trusted and resilient digital infrastructure that can withstand attacks would provide a platform for innovation and prosperity, the benefits of which could be reaped by the common man at the grass root level. I think that due diligence to be done to address safety in the cyber space, including both proactive and reactive.
NIC has undertaken various measures to tackle cyber crime. Forming dedicated cyber security group as part of its common ICT infrastructure for e-Governance. Making dedicated and experienced team of cyber security professionals covering the areas of network security, application security, malware analysis and other emerging areas.
Application Firewalls provide extra layer of security against application level attacks. Security Information and event management systems to collect, analyze, correlate security events to identify intrusion attempts in real-time. 24×7 Security Operations Centre to monitor & remediate attack attempts are some of the measures being undertaken by NIC.
Rajesh Aggarwal, Principal Secretary (Information Technology), Government of Maharashtra
At the onset, I would like to make it clear that we have to first learn to stress upon quality in this country. Unless we have quality, we can’t have security. It may be harsh to say, but the fact of the matter is that our country glorifies ‘jugaad’ system, rather than glorifying quality. My crisp message is that we should focus on quality first or otherwise we should stop talking about security. Let me give an example. All our banks are computerized. Have we ever thought that who actually stores the passwords of the servers? These are saved with the vendors, not with the bank managers. Yes, this is the reality. Still we talk about security in information technology system. My opinion is that we should first focus on enforcing quality everywhere. Our system must have SOPs for passwords and these should be enforced strictly.
Arun Chaudhary, Director General, Sashastra Seema Bal (SSB)
Shasatra Seem Bal (SSB) basically looks after the Indo- Nepal and Indo-Bhutan border protection. All the central armed police forces in the country have their own IT application and software to make easy their core functioning in the area of their work. In a very small way we have tried to familiarize our assistant commandants, sub inspectors (SI), constables deployed in the border areas to be using the security applications based on IT. We also tell that the accessibility of the software and hardware given to them will be limited. We try to educate our SIs or constables about the security aspect of the IT applications with the help of our training programs and taking help of the private sector experts. But I must also accept the fact that the data collection is going on a slow pace at the present juncture. We need to move fast.
Dr Nirmaljeet Singh Kalsi, Joint Secretary, Ministry of Home Affairs, Government of India
My focus is upon our national security perspective. It has got many dimensions. Physical security to securing our strategic assets—national security perspective means all these aspects. Another focus area is critical infrastructure, specially securing critical information infrastructure. Economic or energy security or any other important security, everything , is being connected in the cyber space and thus we need to secure the cyber space and within the cyber security category, information security is the most important aspect in respect of national security.
On the other hand we have to keep in mind that cyber espionage is a major area of concern for us in the global perspective.
In the context of India, I can say that securing sensitive information is a strategic challenge for the country. Apart from that economic stability is essential for economic security and securing intellectual property is also important. I must say that protecting information is the key enabler for the national security. It is important as almost all the services are becoming digital and it brings along with the threat of breach in information security.
We are in the process of framing the National Information Security Policy after studying various guidelines and policies prevailing in the country. It will be compulsory for all the government departments and PSUs to follow
Session: Technological Framework for Safe & Secure Cities
S Suresh Kumar, Joint Secretary (Centre-State), Ministry of Home Affairs, Government of India
The topic- ‘Technological Framework for Safe & Secure Cities’ is relevant in the present scenario. Most of the states are working towards securing cities in the country by using some of the models available in the western countries. Cities like London, Paris, Vienna, New York and others do have very extensive systems in position for undertaking initiatives for safe and secure cities. But in India this idea is still not understood to the extent it ought to have been.
Sanjay Sahay, Additional Director General of Police, State Crime Record Bureau (SCRB), Karnataka
The US, post 9/11 saw the administrative integration of almost 23 departments finally ending up in the creation of the Department of Homeland Security in October, 2002. Our response have been different in the post 26/11 scenario. I think that US acted in a way it did and India reacted in a way it did is merely because of the backend system which US had in place during the 9/11 attacks. On the other hand, the operation Abotabad has been the single best example of usage of digital technology in preserving security. But it is also about people, process and technology.
R C Tayal, Additional Director General, Shashastra Seema Bal (SSB)
Fortunately, things have changed in India since the 9/11 attacks with respect to security in airports. But still lots need to be done. I am giving example of airports security because during 9/11 attacks I was associated with the Bureau of Civil Aviation Security in India. I think that we should focus on integration of human effort with technology. Otherwise our systems cannot become effective. Human caliber needs to be developed at the level of the people from the security agencies who are given the task of using technology. On the other hand, introduction of technology to the level of police station is necessary as the real policing happens at this level.
Purshottam Sharma, Additional Director General of Police, Bhopal
Identifying and tracking criminals is the foremost challenge before us when we speak about crime and criminals. My focus is on the biometrics fingerprint system. The biometrics systems by which the digitization of the fingerprints were done was in a poor state in most of the part of the country. This was my realization when I worked as a nodal officer for the CCTNS project. Things are changing now. But when we did a study on pan India basis, we found out that 12 states don’t have proper FS system till recently and in the states, where it is present, they are not at all functioning well. So these are the operational problems. Systems also have technological flaws. We have tried to address the issue of criminal tracking by providing a handheld device to all the police stations to obtain fingerprints of the criminals.
B N Ramesh, Inspector General of Police/ Director, Central Reserve Police Force (CRPF) Academy
According to me I4 has to overpower IM3. For me 3IMs stand for Indian Mafia, Indian Maoist and Indian Militants. I stands for Idea, Implementation, You & I and the biggest of I is our country, that is India. This is the big challenge before us. We need to have customized solutions for emerging problems. For example I can tell that the tracking of criminals through the video analytics can be used more by the security forces. On the other hand I opine that technology should go together with the human face also.
Rohit Bhambri, Director, Cyber & Intelligence, NICE Systems
I am focusing on how web intelligence can be used for building technological framework for safe and secure cities. Web intelligence is also referred to as open source intelligence. This technology can provide a supplementary factor to the law enforcement agency’s city surveillance infrastructure which is already in place and proposed for infusing further data into it by maintaining public safety and law and order. It can also monitor social issues and can draw inferences from systemic analysis on public opinions. This can also be used to detect threats. Apart from these one can identify new targets with the help of this technology. I think cloud technology needs to be harvested well. At the end I can say that our tools are fully intelligence oriented and these are designed by intelligence professionals.
Prem K Gautam, Superintendent of Police, Central Bureau of Investigation (CBI)
My focus is on the secure-IT environment and perspective CBI investigation and e-governance. Till now CBI has handled more than 5000 cyber crime cases. CBI mainly focuses on the cases related to the phishing websites, credit and debit card fraud, lottery fraud, job fraud, pornography, fake websites for cheating, source code theft, domain name theft, software piracy, RTGS fraud, etc. As a nodal point for Interpol in India, CBI gets information and intelligence from various countries. We have crack teams based in Delhi, Mumbai, Chennai and Kolkata for various cyber crime cases
Session: Data Security: Protecting Businesses and National Assets
Lt General SP Kochhar, AVSM, SM, VSM (Retd); Chief Executive Officer, Telecom Sector Skill Council (TSSC)
I feel that Information Technology and Telecom cannot be treated separately anymore in the present age of technology. And if we talk about IT or telecom, it is all about dealing with data. So the primary focus must be on the data security. Data at rest, Data on move and Data at use- the entire ICT technology can be divided in to these three categories and we need to secure all these three. Then only we can say that we have been able to secure data.
Dr Gulshan Rai, Director General, CERT-IN, Department of Electronics & Information Technology, Government of India
Most of the cyber attacks are really deceptive in nature. Today we are in an era where the things are much different in terms of technology and process and technique. From mere hacking to cyber espanioge to attacks from faux servers- nature of attacks in the cyber space has evolved over the years. This is the time of cyber warfare. I must say that these are the challenges before us and we must deal with them in an effective manner.
Anubhav Tyagi, Senior Solution Specialist, Safenet India Pvt Ltd
The protection needs to be centered on data itself. We believe that encryption is an essential process to protect sensitive data, provide risk management and ease proof of compliance. I think that a new mindset is needed for securing data. We must understand that the sole perimeter security is no longer enough. Breaches will happen and we must prepare differently. Data is the new perimeter encryption with Secure Key Management and above all we must realize that security is all about enablement.
G S Naveen Kumar, Special Secretary, Information Technology & Electronics, Government of Uttar Pradesh; Managing Director, Uttar Pradesh Electronics Corporation Limited
At the onset I would like to mention that we have witnessed more than 100 per cent jump in cyber attacks against Indian government and financial institutions. Keeping in mind this Uttar Pradesh government has envisioned the Information Security plan which is aligned with GoUP IT Policy 2012 & National Cyber Security Policy -2013. Setting up of State Cyber Security Incident Response Team, working towards establishing a multi-disciplinary Centre of Excellence (COEs) in cyber security areas and trying to make cyber security audit mandatory are some of the initiatives under this plan.
S N Pradhan, Additional Director General, Criminal Investigation Department, Jharkhand Police
My focus is on the data which is already there with the police forces and data which will be part of the force in future. It is my belief that anything which is networkable it is also crime workable. That is the serious aspect of the entire system. We have to keep this in mind. Another thing I want to emphasis is that we are having a faith based approach in data security. The problem is that we are not yet in a position to respond systematically; rather we are banking on individual response to this.
Rajendra Dhavale, Senior Director – Technical Sales, CA Technologies
In today’s context I think national assets means data related to core banking sector, property details, taxes and all of these. National assets are not about structures only, it is all about data and it is essential for us to understand the importance of data protection. It is important to raise the question that who should have access to this data. Here comes the importance of identity for working with the data. In this context we need to understand the digital identity, which is being created in the systems.
Sastry Tumuluri, Information Technology Advisor & Chief Information Security Officer, Government of Haryana
I think that the some of the scary parts of not having proper understanding about the data security in our country in its entirety are incredible lack of awareness not only among users, but also IT professionals and ultra-low standards to being an information security professional. On the other hand the hackers have moved from being script-kiddies. But we haven’t. To cope up with the challenges for data security, we need to move away from the audit once / once-a-year mindset, pool expensive resources and use them efficiently. We also must focus on increasing the use of open source tools.
Rishi R Sharma, Technical Consultant, India, Trend Micro
I am speaking on the advanced targeted attack and the steps to counter it. The threat environment has evolved over the years. All of these threats still exist out there, but new and more damaging threats are being developed each year. Now, we are dealing with targeted attacks, advanced persistent threats and creative mobile attacks that take advantage of new vulnerabilities, social engineering and mobile proximity. They are stealthy and are designed to fly under the radar, undetected, and to steal your valuable data. And your data is everywhere -in the cloud, on virtualized servers, and on mobile devices. It needs to be protected, without slowing you down.
Rajesh Kumar S, Technical Consultant, Juniper Networks
We need proactive security system. If something happens, we react- we are working on this model most of the time. We need to change this. Deceptive techniques can be used to protect our data from the sophisticated set of hackers as these kinds of attacks effects our national security also. What I am trying to say is that we should attack the attackers rather than responding passively. with the various state governments and the National Crime Records Bureau. So the entire data of a particular criminal is saved and it has helped us in tracking of the criminals. At the same time we are focusing on the integration of all the state government systems for criminal identification and tracking program.
Session: ICT for Infrastructure Security & Information Security
Major General R C Padhi, Additional Surveyor General (Technology), Survey of India
The GIS applications have become very critical in disaster management, decision support system, location based devices and military technical system. The objectives of National GIS are to have a seamless nation-wide GIS ready database, to serve as a platform for g-Gov and state of art data/ apps hosting environment. It also aimed at enabling service provision for different user groups and to capture and assimilate data owned by public owned agencies.
Abhishek Singh, Private Secretary to Minister of State (Finance), Government of India
The data security and importance of Information and IT security is very critical for people in the government. But the way technology is growing and the way ICT, internet and web enabled technologies are dominating our lives, it is important for us ensure that we have safe and secure data. The pace at which internet technology has grown, it has created the ramification on all of us especially to the government. When the different government department adopts e-governance they build networks, infrastructure, data centers, and systems. Ultimately the objective is to make the life easier and convenient for citizens.
Loknath Behra, Inspector General, National Investigation Agency (NIA)
I think that more than 95% of police men in the whole country are blissfully ignorant of anything called information Technology. Then there are issues related to filing and registering cases. But it is also true that ICT also has made the life of police to some extent more comfortable. For example many of things they do on daily basis, now they will type in the computer, they will keep particular things over there. Also in terms of forensics IT has put the police force in an advantageous position. In CCTNs we have the visualize solutions where we can provide solution which will help police men to have information on their mobile phone while they are on move.
S D Mishra, Additional Deputy Commissioner of Police, Economic Offences Wing, Crime Branch, Delhi Police
The safe city project is an initiative and it is more of an experiment. The need of the project actually emerged in post CWG, where we suddenly realized that the organization per say has the negative confrontation towards technology. The natural tendency within Delhi police was actually to reject technology. With human potential stretching to limit, we suddenly realize that in order to be more efficient we had no other option but to adopt technology in a big way. The objective of this project was to use technology as the facilitator in crime prevention and detection.
Sachin Malik, Consultant, Microsoft Consulting Services
We are going through a digitization phase and we are on the fast track for the digitization. If you look at the government side e-governance is there and everything is being digitized like UIDAI, etc. We need to have the security for that. It is also important to decide about the accessibility to these digitized data. We need to have privacy to be taken care of and it is also important to ensure the reliability of information, along with following best practices.
Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways
In the last 25 years Internet revolution has brought tremendous growth and development in the society across the world. Obviously it has brought huge comfort for all of us. But it has the darker side; it has exposed our individual life, society and the nation to greater risk. It is said that good and evils moves together, when good is ahead then no problem but when evils moves ahead of good catastrophe is created. Security of information system is a way to ensure that the evil side of information age doesn’t take over the good side of it. Indian railways have deployed world class governance system across India and about 8 billion people use the services in a year. Naturally the security of the system is very important.
Amit Sharma, Special Secretary, Government of Jammu & Kashmir
Let me point it out at the onset that State of Jammu and Kashmir is a state where security measures matters a lot. I think e-governance projects have not taken pace in most of the states yet as desired. This will also result in IT security initiatives to go up and also budget for that will increase. At the end I would like to make it clear that more and more awareness campaigns are needed to have a proper safe and secure IT environment.
Session: Innovations in Capacity Building, Cyber Security & Forensics
Alok Tripathi, Joint Director, National Institute of Electronics and Information Technology (NIELIT)
As the attacks are dynamic in nature and it is in real time. We also have to design counter measures in real time. We must have a training environment where real type of scenario is there. It will help us in a situation when real attack occurs. Counter measures are designed at the same time. A team should be made for this and there should be good coordination between them. NIELIT has developed an advanced virtual training environment with the support of e-security division of DeitY at a cost of `2.04 crore.
Colonel Navjot Singh, Senior Research Fellow, Centre for Joint Warfare Studies (CENJOWS)
There is a surge in proliferation of ICT and its assets in the various wings of armed forces. All types of assets like hardware, networking, software applications, etc have taken a boost. Expansion has not only been in the range, but in the depth and applicability. The convergence between the IT and communications field in inevitable. ICT offers the powerful tool for greater economy and benefit to all. In the recent past, Defense Expenditure Review Committee has been formulated to expedite the various procedures.
Vijay Devnath, Chief Information Security Officer, Centre for Railway Information Systems (CRIS)
Our focus is on availability of the service. We are more harassed by touts and fraudsters than any kind of hacking as we don’t hold any kind of sensitive data. The data which we hold is already in public domain. We don’t need to do things like data leakage protection. More of our security and vigilance infrastructure is devoted towards negating the influence of touts. Most of our people who are involved in IT and IT security are themselves experts and they are not able to discipline themselves being government employees. So no process works. end of the day we realizes that issues like high internet connectivity, link person to IP, social networking sites, major servers are being based outside India are posing challenge for us and we are working towards overcoming these challenges
Dr Samsher, Director, National Institute of Electronics and Information Technology (NIELIT)
Security has to go from an end to another end. To achieve this, we have to build capacity from the base level. NIELET has many programmes of basic computing and IT-related subjects at graduate and post graduate level. We also go for research and innovation projects. In security, we have to be pro-active rather than active. We have to create an innovative counter mechanism, which will enable us to act on time and safeguard us.
Golok Kumar Simli, Principal Consultant & Head -Technology, Ministry of External Affairs, Government of India
If we talk about security in e-governance, we need to open up first and then think about other things like security. On one hand, security is real while on the other, it is imaginative. We have to start working on something to come up with proper security. It is purely up to the departments on how do they analyze and classify data.