Protecting Critical Infrastructure : Jerry Cochran, Microsoft Corporation

“We see India as a key developing area for Critical Infrastructure Protection (CIP). There is a lot of scope for leadership. Some of the work that is done in India is very encouraging from the development perspective”, says Jerry Cochran, Senior Security Strategist, Microsoft  Corporation

You lead Microsoft’s efforts for Critical Infrastructure Protection (CIP) and cyber security exercise at various levels. Please elaborate upon the need for protecting the Critical Infrastructure.?

National security, economic security and public health safety are the major areas which come under the purview of Critical Infrastructure Protection (CIP). The Government typically organises these sectors into silos of activities such as the energy, transportation, banking and finance sector, and all of these undertake activities to protect that Critical Infrastructure.

However, it is important to separate Critical Information Infrastructure (CII) and to differentiate it from Critical Infrastructure, as CII encompasses information and communication  technology assets, that cut across all sectors. Whether you are in the banking or finance or oil and natural gas sector, you are dependent upon the telecom and IT products to run that infrastructure. So when we are talking about CII, we are talking about protecting those cross-cutting interdependencies. When we talk about cyber security it directly applies to that, because they are pieces of infrastructure that are dependent, they have  IT  infrastructure that is cross-cutting.

It is important to note that IT and communication has a very virtual and logical identity, they are not a set of physical assets. Therefore, they can not be organised into silos and we need to see what each of these are, and approach them from the IT and communication perspective.

In India we see that the Critical Infrastructure is gradually moving into the private hands. There are two ways fi rst of all, the government itself wants the private sector to make more and more investments. Secondly, the government is privatising its own state owned enterprises either partially or fully. Your comments.

In every country in the world, what we have observed is that there are different drivers of the government and the private sector – operators and owners that impact upon the policy and regulation.

There are different regimes in different parts of the world. For example in the United States about 85% of the Critical Infrastructure is owned by the private sector. If you take another country like Australia, most of the Critical Infrastructure is owned by the government. In Norway, almost 99% of the Critical Infrastructure is owned by the government too.  Therefore, they do not have to deal much with the private sector. In India, it is seen that there  is a combination of the public and the private.

The government’s focus is on what are its core competencies and create and provide  opportunities for the private sector. The government should invest in what they are best at  and create incentives for the private sector. In every country there is a different policy and  regulatory landscape on how the decisions are made. One important thing is to acknowledge the fact that what might work for a particular country may or may not work for another.  What may work for the US may not work for India or Australia. Whether it is a developed country or a developing country, the governments need to decide what is best suited for them.

Please tell us about the need for a layered approach to CIP.

First of all, the idea is that at a higher level, there is a need to acknowledge the importance of  CIP in national and economic security and public health safety. The Government of India has  done that in further provisions and amendments in the IT Act or going towards recognising  Critical Infrastructure and understanding that there is a dependency on that Critical Infrastructure upon Information and Communication Technologies and it is important to  manage risks. It is also important to recognise what you want to accomplish at the village  level, at the city level, and at the national level and what you want to acknowledge and  achieve in that infrastructure. This can be worked through the joint efforts of the government  and the private sector.

What are the different kinds of threats to Critical Infrastructure?

In terms of threats, almost all countries are taking an all hazards approach and not just  against cyber threat. This is because of the fact that the way someone can hack into the control panel or shut down a power grid, someone like a terrorist can also blow something up  which does not have a cyber component at all. So in terms of protecting the Critical  Infrastructure, there has to be an overall protection from all threats including threats from terrorists and natural disasters. For example, in the US, hurricane Katrina had a devastating  effect on the information and communication systems, telecom systems and power of that  region. Similarly, in the twin tower terrorist attack of 9/11, the telecom and communication  systems of that region were affected, which directly hit the New York Stock Exchange.  Threats are therefore of various kinds, natural and man made, intentional and unintentional.

What are some of the features of Microsoft-based solution
for protecting Critical Infrastructure such as rail, roads, ports, power and water supplies?

Protection of Critical Infrastructure requires setting or defi ning the roles for the public and  the private sector in the risk management process. The government sets various goals and  functions that are to be performed from their end. There are some critical functions that they  want to provide in terms of the economy, national security, etc. Therefore, they can work in  Public Private Partnership (PPP) in order to provide the citizens with the Critical  Infrastructure such as power and water. The owners and the operators can get together and fi  gure out the risks, prioritise the risks and fi nd solutions to those risks. You can also see how to  analyse those risks, you can look for existing medications and also look for further medications  for those risks. The owners and the operators in a case like the US, where almost  85% of the Critical Infrastructure is owned by the private sector would know the best way to  protect the Critical Infrastructure. Similarly, in the case of Norway, it is the government who does the same. But it is important to know how these critical functions are put together and to know what are the critical inter-dependencies and intersecting points.

The other important key point is building operations or response frameworks. You have a  cyber incident or a natural incident, or a terrorist incident, regardless of the origin, there needs to be a way to respond and recover every aspect of the Critical Infrastructure assets. In  the operational response framework, the government may have an operational response capability. Even a private sector company like the Microsoft can have an instant response  capability, however, often what we fi nd is that those are not aligned. For example, in the cyber security arena, CERT India can have a specifi c way that they respond to India and  India’s specifi c events. There can be an industry consortium that has sectoral Internet response mechanisms. In US, we call it Internet Sharing and Analysis Centre (ISAC). In  Microsoft, we have our own security response for our own product vulnerabilities and yet we  do not collaborate or align our operational response framework across those layers of the  individual private sector or government. In the US, what we do every two years is a National  Cyber Security Exercise under the Department of Home and Security. This exercise really  seeks to align those three layers – the government, the sector and the owner – which is the operator.

And fi nally, there is a need to have a continuous set of interactive cycles. You can not just    assess the risks of Critical Infrastructure and provide some control, mitigate risks and then walk away, since the landscape is constantly changing and the infrastructure itself is  constantly changing. In India, the infrastructure is continuously moving into private hands and that will change the entire risk equation so it has to be continuously reassessed and redone. The point is, that we want to create a culture of regulating security across the public and the private sector. The process has to be supported by legislation. This is one of the reasons, why the IT Security Act in India is going to continually evolve and some of the proposals for amendments could be implemented.

What is Microsoft doing about CIP within the overall
umbrella framework of  Trustworthy Computing? Please tell us about some of your government sector projects in this area.

Trustworthy Computing is an initiative started by Microsoft in 2002 and it really changed  the way Microsoft builds its software and the culture in the company. They have four pillars –  security, privacy, reliability and business practices. If you see them from a pure Microsoft  product point of view, there may be a huge need for change. But if you look at them from a  Critical Infrastructure point of view, I may need to worry about security of Critical  Infrastructure, data protection and privacy. The business practise is very important  especially what the consumers, the government and the industry view about Microsoft as a  company. Are we open and transparent? Are we working on multiple products and solutions?  Are we following the government’s rules and regulations? These are all the issues that we are  trying to work on, in order to build the Trustworthy Computing.

In CIP and Trustworthy Computing, we are really working on three to four fronts. One of  them is Software Assurance. Software Assurance is a complete way of improving the security of softwares. It is also about software and security life-cycles and how do we reduce the  number of vulnerabilities and improve the life-cycle of our products. For example, how do we  know when a developer checks something in the resource stream and how do we know that the  developer had an access or that he was authorised with a check-in code? How do you know  before our softwares walk out of the door, that they are free of viruses? How do we know  that all the binaries have digital signatures, so that when you get it as a customer you can  verify if this is the fi le that Microsoft wants me to have? So there is integrity mechanism for  the integrity of softwares and also assurance management to reduce the number of  vulnerabilities. The fi rst one is working with the government on software assurance and with  the industry and the private sector.

The second area is CIP policy dealing and engaging in conversations with different  governments from time to time. For example in India, Microsoft, as part of the consortium has provided feedback on the IT Act and made recommendations on amendments.

The next area is what I would call operational CIP. Operational CIP is all about how do we  bring industry requirements for operational response framework, how do we bring them to  align with our own processes. It is also about how we give everything that is needed by the  government as each government is different. It is to ensure that Microsoft approaches  different governments in a different way. The fi nal one is CIP alignment. This is where we work to make our products better-suited for Critical Infrastructure. Most of the control  systems in the world, such as transportation, electricity generation, oil and gas and water  supply are all run by control systems and a large number of those operating systems have some aspect of windows operating systems.

Whether it is the data base server system running windows or it is the operator control that   controls the windows running, windows touches all aspects of the control systems. So what can we do in the control system? How can we collaborate with different vendors of control systems such as Siemens, AVG, etc? There are different vendors of control systems that are making their solutions on windows. One example is that we are getting them to use the security development life cycle, so when they are developing their own software upon Microsoft, they are following the same security and development practices that we are following.

What are the best practices that are followed in the
United States?

One of the things that we see in the United States from a maturity perspective is that we have  a very close information sharing relationship with the government and private sector. We  share information on vulnerabilities. For example, US CERT will call Microsoft security  response centre before they release a bulletin that is related to our software or put up on a blog  or published as a best practices white paper. Other examples would include things that  we do from a risk management perspective. In the IT sector in US, we have decided to take a  different approach, as I said, IT sector assets are not physical, they are diffi cult to manage.  Protecting assets in Washington and New York may be important for Microsoft but from the  point of view of IT infrastructure, it probably does not matter. It is more important to know what Microsoft provides in the eco-system and how do we protect that, so that we take a very  function based approach. So the provision of products and services or the ability to provide  Internet management or the types of softwares are more important than the physical facilities.

Who are the other market players in CIP and what are the
competitive ventures Microsoft has under taken?

One of the competencies of Microsoft is that we have really improved our security systems. If  you look at other vendors in the market such as Oracle or Apple who have recently started and came in the spotlight in order to fi x vulnerabilities, Apple in the last two years has  started on the security vulnerabilities. Where as we have been working on that since 2002,  and this really gives us an opportunity to differentiate ourselves. Also we have had a long  term relationship with the US government and other governments in CIP.

In Microsoft, we have a mature practice for Critical Infrastructure. One of the things that we    fi nd in Critical Infrastructure is that some of our very top competitors, such as Oracle or Symantec or McAfee, are actually some of our best partners. We may have differences in product competition, but when it comes to protecting infrastructure, we are all in the same boards and committees. We work together with Symantec or IBM to make recommendations to the government.

You said your competitors are your partners, so is there any challenge of interoperability in CIP?

If we look at ways to secure and manage the Critical Infrastructure, we have to do away with  interoperability. For example, the US government is working on the information sharing  technology, so that different agencies within the US government can share information about vulnerabilities, incidents and attacks. The US government is building a common framework  to enable the Critical Infrastructure.

What are your plans to expand your market in the fi eld
of CIP in India?

We see India as a key developing area for CIP. There is a lot of scope for leadership. Some of the  work that is done in India is very encouraging from the development perspective. Microsoft  would really want to continue the engagement in the best practice perspective. We would also  like to continue our engagement with associations like CERT India. We would like to help the  government in shaping its IT Policy in a holistic manner. We want to continue our  engagement and foster and evolve our relationship. There are also a lot of opportunities for  partners in India. India is a key IT skill area. Microsoft has a keen interest in investing in  India. We have our offi ces in India and we look for future partnership in India.

As you mentioned in the US, CIP is under the private
sector and in Norway it is under the government. India on the other hand is in the middle. Where do you exactly think India to be?

India has taken some key steps towards CIP. Firstly, in terms of its defi ned government policy  perspective. They have recognised the importance of CIP, the importance of Public Private  Partnership (PPP), public health and safety dependent upon infrastructure. They have also  recognised the difference between infrastructure in general and information infrastructure.

In terms of the other aspects of India, like the US has its allies with other countries such as UK  and Canada, in the developing world we can locate China and India. India is very promising  because of the fact that India has a mixed private and public ownership. What we also see is  the policy landscape and the drive for democracy and social responsibility, by the  government and business. India is very promising. Therefore we are very interested in  furthering that engagement with India.

Which one of the two – control by the industry or control
by the government do you think has an edge over the other?

For a country like Norway, which is small in terms of surface area, population and single  language, the control by the government works well. For a country like United States, which  is so large and so vast, or for a country like India with huge infrastructure, it is hard to  imagine the government to work for CIP. So we would prefer a strong Public-Private Partnership (PPP) because we depend heavily on the government for creating a conducive  environment.