Growing dependence on networked information systems and availability of sophisticated cyber attack devices call for matching efforts to keep valuable data and information secure and intact, says Dr Nirmaljeet Singh Kalsi, Advisor and Additional Secretary – Inter State Council Secretariat (ISCS), Ministry of Home Affairs, Government of India, in an interview with Souvik Goswami of Elets News Network (ENN)
Having been a key policymaker for long and with vast experience in ICT, eGovernance and information security, how do you perceive global threats in terms of cyber security?
With ICT becoming all-pervasive in our lives today, cyber security has emerged as a major concern for governments, organisations, businesses and individuals. The cyber and physical worlds are at crossroads. Complex information infrastructures are now increasingly becoming open and interconnected, and offer a range of intelligent services tailored to the needs of each individual.
Increasing commoditisation, affordability and availability of cyber-attack tools and sophistication of cyber attack vectors employing organised cyber criminal gangs present an ever-growing concern and challenges for all governments and the decision-makers. The consequences of a cyber catastrophe could be quite unexpected and disastrous, which many have serious secondary and tertiary effects on the national and economic security of countries.
What in your opinion are some of the major security challenges in the year ahead?
Targeted attacks, social media scams, cyber espionage, malware and ransom-ware are growing at a rapid pace and are increasingly targeting the newer technology platforms globally. With cyber criminals becoming increasingly sophisticated in their methods and targets, in the years ahead, security risks would include more sophisticated and even larger scale espionage attacks and hacking the Internet of Things (IoT). This would be in addition to the still widespread ‘traditional’ cyber crimes, such as stealing of financial information, internet password hacking, identity theft, economic frauds, corporate espionage and hacking attacks, etc.
Experts warn that one of the biggest threats to the online world in 2015 could be increased ransom-ware attacks, encrypting data on the mobile/IoT devices and Cloudbased targets restricting access to the infected computer systems. The ransomware attackers will extract ransom payments from victims to release their encrypted data.
With smart cities and Digital India initiatives catching on, the Internet of Things will be integrated into every device, every application and every market. Therefore, while designing these networks, the security aspect will have to be given top priority as it could compromise these interconnected systems.
There are also growing trends in cyber espionage, which is becoming the weapon of choice for many state and nonstate actors, and national governments and more small nation states and terror groups will use cyber warfare.
In the financial sector, with contactless and mobile payments becoming a global norm, there’s a new opportunity for cyber criminals. Easy-to-crack passwords will continue to be a big risk and therefore different multi-factor password options will replace the traditional passwords.
According to data from the National Crime Records Bureau (NCRB), Cyber crimes registered under the IT Act shot up by over 50 per cent across the country between 2012 and 2013. These numbers may be just the tip of the iceberg, as several incidents still go unreported. Globally, the losses estimated due to cyber crime are pegged at about $400 billion per year. Such costs will continue to grow as citizens, organisations and governments continue to adopt technology, unless best practices and standards for cyber security are diligently followed.
The digital world is a reality today in all aspects of our lives. Digital infrastructure is the backbone of prosperous economies, vigorous research communities, strong militaries, transparent governments and free societies. Lakhs of people across the country rely on the electronic services in cyberspace every day. As never before, ICT is fostering transnational dialogue and facilitating the global flow of information, goods and services. These social and trade links have become indispensable to our daily lives as well as the economy of our country.
Besides, critical life-sustaining infrastructures that deliver electricity and water, telecommunication, internet and broadband connectivity, control air traffic, and support our financial systems, all depend on networked information systems. The reach of networked technology is pervasive and global. Therefore, improving and securing this digital infrastructure in all its dimensions is critical to India’s future.
The government also at all levels – central, state and local – is increasingly using ICT to enhance productivity, improve efficiency in service delivery, speed up development in all sectors of economy and improve the governance. Paper-based records are now in electronic records, which can be accessed from anywhere across the globe over the communication networks. The electronic information, especially on a network, is vulnerable to unauthorised access, which could adversely impact the overall internal security and national security interests of the country. As the government broadens the scope of its drive to move towards e-governance and embraces technology for citizen- centric services, it faces threats from multiple sources. Securing sensitive information is, therefore, important for the strategic security, economic stability, uninterrupted operations of banking and finance, etc.
How use of technology and ICT can help in ensuring better security and safety for the citizens?
ICT has become the backbone of our economic growth and is critical for both economic and social well-being of the nation. Over the next few years, India will witness manifold growth in the number of Internet users, devices and data. For government and policymakers, this will create equally daunting challenges. Such challenges include public safety, economic security, internal security and ultimately the national security. The nature of the risk profile today (combined with the volatile nature of changing technology and market landscape) pushes us towards making the information security culture into a proactive one. In order to ensure a proactive approach of gathering Intelligence on unwanted cyber activity and cyber-attacks is of utmost importance. Such intelligence needs to be made actionable as an early warning system, which not only helps evade potential threats, but also provides key trends and resources for the effective security management.
The information is all around us – within Twitter, Facebook, LinkedIn, network traffic, emails, documents created by employees, behavioral patterns of people, our ecosystem, etc. New platforms are emerging that scan and analyse such massive heaps of structured, semi-structured and unstructured data; security alerts and system logs (structured data) to emails and social media content (unstructured data) for threats.
How can cyber security threat be tackled, especially in this age of vibrant social media?
With advancements in the security capabilities, we observe that cyber criminals have moved to leveraging social engineering techniques for perpetuating attacks. If you consider the method in which most attacks on critical infrastructure were executed globally, you will find a definite trend in the increasing usage of social engineering. Let us look back by 10 years. Very little personal information was available in the public domain then about an individual. Now, with everincreasing use of social media, every facet of an individual’s life is available online. Social media, although it does have options to protect information, continues to be more easily exploited through the social engineering attacks. Lack of user awareness, user apathy towards cyber security, information security and poor security hygiene in organisations are the leading causes for making them vulnerable and exposing them to successful social engineering attacks.
End-user awareness, education and capacity building with organisations are crucial to thwart such attempts by the attackers to execute the socially engineered attacks.
The National Information Security Policy and Guidelines has been developed for safely handling the electronic information that is created, stored, edited, processed/ manipulated, accessed, transmitted and destroyed in electronic form. This document elaborates the baseline Information Security policies and guidelines, and highlights the relevant security concepts and best practices for handling electronic information during its entire lifecycle. This policy is mandated for all the ministries, departments, and organisations.
The document provides guidance and control objectives aligned in eight main domains and six additional areas, which form the core of information security practices and frameworks globally. The contribution of each domain to the success and effectiveness of the information security programme is intertwined with the level of maturity and success of the other domains. Thus, together they help create a baseline for a robust information security programme.
The core domains covered as part of the NISPG are Network and Infrastructure Security; Identity, Access and Privilege Management; Physical Security; Application Security; Data security; Personnel security; Threat and Vulnerability Management; and Security and Incident Management. Guidelines have also been provided for essential security practices i.e. Security testing, Security, auditing and ICT continuity. Further, guidelines have been provided for technology-specific ICT deployment and trends like Cloud Computing, Mobility and Bring Your Own Device (BYOD), Virtualisation and Social media.
Your message for the SecureIT 2015 event organised by Elets Technomedia?
Increasing digitisation of information, expanding exposure of government organisations due to connectivity and the use of external providers, rising dependence on the global ICT supply chain, etc., are posing serious threats to information security. Therefore, security is an important aspect and we should not sacrifice security for efficiency. The government recognises this challenge – more so in the context of national security. The SecureIT 2015 event will bring the stakeholders of the IT and security domains on one platform, which is the need of the hour. I extend my best wishes to the organisers — Elets Technomedia Pvt Ltd — for a huge success of the event, which is so very relevant under the present scenario.