Secure IT 2011

Inaugural Session

Efficient use of technology, not procurement is the key

India stands at a threshold where security is an area that poses a great threat as well as throws a great opportunity at us

Security is one of the gravest concerns of any nation today. Be it internal, external or even cyber security. India stands at a threshold where security is an area that poses a great threat as well as throws a great opportunity at us and using this opportunity coupled with the new and innovative technologies will make us come over the threat.
Effective use of technology, technology for disaster management, community awareness, open data policy and other such important topics were discussed at the inaugural session of Secure IT 2011.

The eminent speakers included Anil K Sinha, Vice-Chairman (in the rank of Cabinet Minister), Bihar State Disaster Management Authority & Chairman & Co-Founder, Global Forum for Disaster Reduction, Shambhu Singh, Joint Secretary (North East), Ministry of Home Affairs, Government of India, Sanjiv Mital, CEO, National Institute for Smart Government, Maj Gen (Dr) R Siva Kumar, Head (NRDMS) & CEO (NSDI), Dept of Science and Technology (DST), Government of India.

Open data policy as was thoroughly discussed by R Siva Kumar, DST, is critical for our nation as it firstly would reduce the burden from the government sector for locating information and secondly somewhat reduce the need for Right To Information (RTI) applications felt by the citizens.

Data once recognised as ‘non-confidential’ should be available publicly for various purposes such as research, social audit and stock-taking.

The main cons in the debate for an Open Data Policy are reluctance to share data and non-availability of data in digital format. The pros are simple for everyone to see. It will be a reason to digitise all the government data which is anyway a much needed reform. Also it will help in self-monitoring by the government officials.

However, there is a difference between RTI and Open Data, both of them are often confused.

A major point regarding the same was highlighted by R Siva Kumar, “It is slightly different if we see it from the perspective of RTI. RTI is more reactive where information is available only to the applicant and he/she can further disseminate it but in digital data sharing (open data) we are aiming at a more proactive manner of all government departments.”

“We also need to have meta data, that is the data about data, which will enable people to discover the data and then explore it. We need to develop a lot of technological tools for all these,” he added.

“Much can be learned from Japan”

“In the way in last couple of years we have seen, disasters have literally been knocking. It is the worst disaster that took place in Japan. Look at how they have reacted to it. What has happened in Japan is ironically an alarm for people in Bihar and all over India. Japan undoubtedly is the best prepared country for such disasters. They had prepared for the worst, but their worst was around 8 on the richter scale, they were beaten as what happened was much more than what they had imagined that too happened at a location at a depth that generated a large tsunami. If you have closely watched the losses and damage due to earthquake were almost negligible, they coped very well with the tremors. One thing which is notable and remarkable in the people of Japan is how they responded to the earthquake.

They first try to observe the seriousness of the tremor as they get hit by tremors almost every day. Once they realise that this is something unusual then they follow the do’s and don’ts taught to them in preparedness.

There are so many areas where we can learn from them. This was one of the gravest possible situation and see how they are coming back to the usual living. You won’t find media showing large number of dead bodies or people shouting and running around for food or other things. Why did they respond like this compared to the usual behavior of the people in such situations. It is because of their preparedness for disasters. They know what to do and how to do in such a situation. Knowing what to do and how to do in such crises situations is what we should learn. IT is a great tool to tell people what to do but how to do will come only from practice, mock drills, which has to be done repeatedly, like it happens in aircrafts. Have you ever boarded a flight where the initial safety instructions are not given? No.

Many of the buildings we live in have fire extinguishers, are very well maintained but how many of the residents are trained to handle that fire extinguisher? In Japan you don’t only have to come out of the building but also use the fire extinguisher, fully operate it. Public awareness and community education is the first step towards any disaster preparation or litigation. You cannot talk of risk reduction or litigation unless there is awareness and education. This is the area where we are weak. Public awareness and community education is the basic step and important also because they are the first respondents to any such disaster. We have to use the technology to reach out to women, children and each and every class. Not technology alone will help; effective use of it is the essential part.”

Excerpts from his speech at Secure IT 2011

Technology alone cannot be a panacea for all our problems. Knowing the technology, using it effectively and coupling it with some highly-efficient traditional methods is what is needed. For example GPS is a very effective tool for monitoring and tracking movements. Using it for monitoring of vehicular movement can be a good move but coupling it with traditional methods like appointing an armed guard in government vehicle will ensure a two-point strategy. Sanjiv Mital, CEO, National Institute of Smart Government (NISG) pointed out some facts in this direction. He said, “Technology alone will not make a difference. Effective use of technology has to be there. Some time back a truck carrying explosives meant for various legal tasks such as mining, construction etc. went missing. If we have a proper tracking system for those trucks those explosives might not go into wrong hands.”

“In Chhattisgarh use of simple GPS has increased the efficiency of the PDS by at least 10 times. Use of technology today and if it is a secure technology will definitely be of great use and great help,” said Shambhu Singh, Joint Secretary (North East), Ministry of Home Affairs, Government of India.

Amongst many other topics discussed another prominent topic was disaster management discussed by Anil Sinha, Vice-Chairman, Bihar State Disaster Management Authority. He meticulously pointed out various learnings that India as well as all other countries shall take from Japan in coping with disasters such as they suffered just recently. “What has happened in Japan is ironically a wake-up call for people in Bihar and all over. There are so many areas where we can learn from them. Public awareness and community education is the first step towards any disaster preparation or litigation. This is the area where we are weak,” he said.

“In Chhattisgarh use of simple GPS has increased the efficiency of the PDS by atleast 10 times. Use of technology today and if it is a secure technology will definitely be of great use and a great help”

Public safety in terms of internal

security and disaster management are the most relevant topics in the wake of the recent disaster in Japan and the various insurgency incidents happening in India as well as all over the world. Optimum and effective use of technology is the key to dealing with all. As it came out in the session too, technology alone won’t suffice. For example, having a high-tech biometric smart card won’t suffice if the card holder doesn’t know how to effectively use it and we don’t have solutions that are compatible with that particular technology.

The event had many other important themes for the day with the first session being on ICT in Policing, Intelligence, Prisons, Airport, Railways, Border Security; the second on Disaster Management: Preparedness and Response and the third on ‘Security of IT Infrastructure: Cyber and Network Security’.

Cyber and Network Security

Phishing the boundaries

In the wake of cyber security threats, India needs to focus on strengthening the security of IT infrastructure and combating the dramatic rise of cyber crimes

Computers rather than missiles could pose the biggest security threat, with nations able to cripple rivals by using cyber warfare.

Indian companies lost about ` 58.59 lakh in revenues in 2009 due to cyber attacks, according to Symantec 2010 State of Enterprise Security Study. In addition to this, Indian enterprises also lost an average of ` 94.56 lakh in organisation, customer and employee data in 2009, while they lost an average of ` 84.57 lakh in productivity (factors leading to hampering of work like problem with servers), according to the Study.

With Gartner predicting that total data center capacity in India would grow at 31 per cent to reach 5.1 million square feet by 2012, data security is a concern for IT administrators. The study found that more than 50 per cent of the enterprises surveyed planned to implement significant changes to their data centers in 2010.

Reportedly, a total of 198 Indian government websites were defaced by foreign hackers in the past six months. B Bhamathi, Additional Secretary, Ministry of Home, Govt of India says,  “Risks in cyber space have the potential to damage national security, businesses and individual civil liberties.”

Srinivasan Ramakrishnan, Former Director General, C?DAC and Chairman, Delhi Chapter of Cyber Society of India says, “Technology can itself be a good solution but can introduce vulnerability, too. The new upcoming technologies must  consider the protection aspects and enough safety. We cannot leave the security issues only purely to service providers and government per se. Different stakeholders have to play their own game.”

Trends in cyber crime

The recent trends in cyber crime are professionalisation of cybercrime, hacktivism, cyberwarfare, rising rate of identity theft, epidemic of security vulnerabilities in software & networking products, shrinking time from exposure to attack, soaring rates of SPAM, targeting of web-based applications, targeting of desktop computers, new risks stemming from mobility of data; and emergence of sophisticated, multi-vector “blended threats”.

Pavan Duggal, Cyber Law Expert and Advocate, Supreme Court of India says, “The major cyber crimes that the government and the police are facing are four in different categories. The first category can be of cyber crimes against persons, like cyber-stalking, cyber harassment, cyber-nuisance. The second category is cyber crimes against property, where a particular property is targeted – a computer, a network, a data base, or some information. Hacking and cracking are typical cyber crimes against property. The third category is of cyber crimes against nations- where a particular nation is the target.”

SS Sharma, Additional Director, CERT?IN, Department of IT, Government of India opines, “The attack targets are critical infrastructure, the business intelligence, personal and peripheral informations. Today, the motive of cyber attack is more of purpose orientated, stealing intellectual data and business informations.” Recently, the government has issued the draft of proposed National Cyber Security Policy (NCSP) that identifies indigenous development of IT products essential for curbing threats from imported hi-tech products.

“The country needs a detailed regulatory, legal and policy-enabling regime”

Risks in cyber space have the potential to damage national security, businesses and individual civil liberties. With the objective of having an integrated approach towards policing, the Ministry of Home Affairs has come up with a ` 2000 crores project –crime and criminal tracking Network and Systems (cctNS). this  important project is scheduled to be in place by 2012. cctNS-cAS is being developed on a Service Oriented Architecture (SOA) which shall enable the seamless sharing of information on crimes and criminals within police departments and across various other external agencies like transport departments, Passport authorities,  courts and Jails.

cctNS addresses several  functional and technical challenges with respect to data standardisation, generation of reports, redundancy in data entry, mapping of major and minor crime heads. cctNS aims to facilitate storage, collation, analysis and transmission/sharing of crime and criminals related information at the police station,  district, state and central levels. National crime records Bureau, on behalf of the Ministry of Home Affairs, is the nodal agency for overseeing the implementation of this project. cctNS can act as a catalyst  and technology-enabled agent for initiating a change in Police functioning.

to address issues pertaining to natural and man-made disasters, the Disaster Management Act of 2005 was passed leading to the formation of the National Disaster Management Authority (NDMA). it is mandated by the Government of india to create the policy framework, transform disaster management plans and establish guidelines for effective response to disasters. the enforcement of its policies and implementation of its guidelines, disaster mitigation provisioning and disaster prevention also form the broad charter of apex body. the pace at which the envisaged reforms and modernisation initiatives are being adopted are not the same as that on an  international level. the country needs a detailed regulatory, legal and policy-enabling  regime to facilitate further protection and preservation of cyber security.

the security  architecture proposed for the cAS application shall ensure complete authenticity and  integrity of data and transactions. Access control procedures shall cover all stages in  the life-cycle of user access, from the initial registration of new users to the final  de-registration of users, who no longer require access to information systems and  services. Special attention shall be given, where appropriate, to the needs to control  the allocation of privileged access rights. Government needs to create a national body  to evolve a fine balance between cyber data protection and privacy of citizens  as the society and businesses become a part of the huge electronic ecosystem. cyber  security can be achieved if interwoven with corporate governance.

A new form of warfare

Cyber war has moved from fiction to fact. Cyber terrorism is one of the biggest  challenges India is facing. The cyber terrorist today is an extremely intelligent  mind whose only job is to try and destabilise a particular country, its institutions or its networks for the purpose of creating terror in the minds of the  people.

Pavan Duggal states, “A cyber terrorist, who is jamming or  effectively de-stabalising the network could have far bigger ramifications and  that is where I think India really needs to work hard in terms of coming up with  distinct laws on cyber crimes.” If we see globally, the recent case of cyber  attack is with Iran. Iran has been targeted by a second computer virus-Stars  virus-in a cyber war waged by its enemies, according to its commander of civil defence Gholamreza Jalali.

Prof Srivathsan, Pro VC, IGNOU elaborates, “The concern is regarding  professional and academic approach to deal security. Every data has its  multiple attributes. Different parties have right to own it. We need to evolve  certain data models—i.e. what is data and who owns it.”

A major tool of cyber  warfare is key-loggers, which is a software program or device designed to  monitor and log all keystrokes. Key-loggers are intended not to steal source  code or information but to record the data input into a computer, to be used for  financial fraud.

Says Prof K Subramanian, Director, Advanced Center for  Informatics &  Innovative Learning, IGNOU, IT Advisor, CAG of India, “Cyber has no  territorial boundary. Identification mapping in citizen to citizen and asset classification are challenges in cyber security space. Management, technology  assurance, financial and network audit, service delivery assurance and forensic  aspect should be covered in security considerations.”

In the wake of increasing cyber crime in India, the Information Technology  Act, 2000 was amended in February 2009, but it remains insufficient tool to  effectively protect the nation from a cyber onslaught. While, laudably, the new  Act legislates against the growing menace of identity theft, phishing and  violation of privacy, it does not even contemplate the tools of modern cyber  crime.

B Bhamathi says, “The country needs a detailed regulatory, legal and  policy-enabling regime to facilitate further protection and preservation of  cyber security. Government needs creating a national body to evolve a fine balance between cyber data protection and privacy of citizens as the society  and businesses become a part of the huge electronic ecosystem.

She adds,  “Cyber security can be achieved if interwoven with corporate governance.”

From power stations to sugar factories, dam sluice gates to suburban train  signalling systems, banks to stock exchanges, most complex systems are largely  controlled by computers. If hostile elements gain control of these  decidedly civilian establishments, they can create havoc. Therefore, cyber  security has to go beyond securing overtly sensitive systems such as in the  government and the defence network.