There is an Immense Opportunity in the e-Governance Space

Michael Sentonas Vice President and Chief Technology Officer, Asia Pacific, McAfee

McAfee Vice President and Chief Technology Officer, Asia Pacific, Michael Sentonas   is responsible for driving the integrated security architectures and platforms that have  propelled McAfee into a leadership position in digital security, with a focus on the Asia Pacific  region. With a background in sales and engineering, he has been able to drive innovation and  optimise product direction and development in the company. He has over fifteen years  experience in the IT industry, focusing on internet security solutions with past roles including  software development, security consulting and management. In an email  interview with eGov, he talks about the major security challenges to government business  and McAfee involvement in the government sector

What would be some of the most critical security threats the Indian government faces?

Governments globally face threats to key assets. These threats can range from hacktivism,  attacks on critical infrastructure through state-sponsored cyber sabotage and intellectual  property theft. Increased penetration of mobile devices means more mobile government  workers and increased potential for data leakage and for malware penetrating into the network if security policies and technical mechanisms are insufficient. Second, as the Unique  Identity (UID) project rolls out, ensuring utmost protection for the IDs and data associated  with each record would be critical. The Indian government is already planning a  comprehensive security strategy to protect this project. Third, outsourcing protections will be  critical – and this revolves around legislative policy or laws which the government should be  instituting – since so much of Indian economy relies upon outsourcing.

What are your views on security of public information in
India, particularly with respect to the UID programme?

Currently, security adoption across government enterprises is largely restricted to perimeter security and malware protection. However, the UID is one programme which takes stringent steps to preserve and maintain critical citizen data. It has been structured in a way so as to prevent any sort of data leakage, as it deals with confidential individual information. The privacy of the individual is respected and this will be one of the major reasons for the success of the project.

What is McAfee’s play in the government sector? Could
you share with us some your major initiatives in this sector?

There is an immense opportunity in the e-Governance space for technology and related  companies in India. Industry reports estimate it to be in the region of $ 6-10 billion over the  next 2-3 years. At McAfee, we are very bullish about the Government vertical globally and  this strategy translates into the Indian context as well. We have a separate team globally as well as in India that has been institutionalised for managing government projects; bearing testimony of our concentrated focus on this sector. The initiation of large projects such as UID project, r-APDRP (restructured- Accelerated Power Development and Reforms Programme) etc., and the international phenomenon of terrorism moving into the cyber domain implies that IT security will continue to grow in importance for the Indian government. We are working together with a number of Indian government agencies and ministries through our channel partners to help develop coordinated strategies to tackle the lacunae in India’s defences.

McAfee: McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is  the world’s largest dedicated security technology company. McAfee delivers  proactive and proven solutions and services that help secure systems, networks,  and mobile devices around the world, allowing users to safely connect to the  Internet, browse and shop the Web more securely. McAfee products empower home users, businesses, the public sector and service providers by enabling them to prove  compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security

What is McAfee’s advice to protect critical infrastructure from cyber attacks?

In April 2011, McAfee and the Center for Strategic and International Studies (CSIS) came out  with findings from the Critical Infrastructures report that reflects the cost and impact of  cyberattacks on critical infrastructure such as power grids, oil, gas and water. The survey of  200 IT security executives from critical electricity infrastructure enterprises in 14 countries  found that 40 percent of executives believed that their industry’s vulnerability had  increased. Nearly 30 percent believed their company was not prepared for a cyberattack and more than 40 percent expect a major cyberattack within the next year.

In a country such as India, much of the critical infrastructure is with Public Sector  Undertakings and hence owned by the government. Because of their inherent economic importance, such assets make strong targets for political sabotage, data infiltration and extortion.

“Compliance never equates to security so an over-focus on regulation diminishes the import ance of other important security controls”

Managing security issues is certainly a challenge for the government in India because there  are manpower as well as cost-related challenges to deal with. A key consideration for  governments across the globe is the extent to which to rely upon outsourced vs. in-house cyber security talent.

There is also a worldwide belief that regulation will somehow solve network security related concerns. Compliance never equates to security so an over-focus on regulation diminishes the importance of other important security controls. Therefore spending budget wisely to ensure the government achieves the right level of security means balancing compliance with  security and the right level of in-house talent to do so.

What would be the
key components of a comprehensive security plan for protecting the country’s critical infrastructure?

A highly sophisticated network security posture is needed to guard critical establishments from premeditated attacks. We recommend adhering to a 5 step risk-based checklist to create  a strong network control which will minimize such attacks:

• Key network areas – IT, Operations and New Smart Grid Projects – should be overseen by a  single security authority responsible for interconnectedness and synergies necessary across all  three as compared to a silo-based approach. It is advisable to have a single security authority as to enable holistic protection of the assets.
• A strong data governance plan that classifies data as per its value needs to be developed. Post  this, a relevant plan to safeguard vital data (at rest on the network, in transit within/to/ from the network, and in peripherals and mobile devices) can be executed.
• Cyber attacks can also be instigated through a weak vendor network, as a result of which  hackers can gain direct access to the critical infrastructure. Vendors should be selected  carefully and made to validate their security standards. When vendors notify new patches or  other urgent actions over a possible threat, the recommended mitigation steps must be  assigned high priority.
• Daily vulnerability assessment to understand potential weaknesses especially when new  devices/applications are added to the network is also needed. It is also important to maintain  regular checks when the control system becomes IP-enabled.
• There has been an increasing trend in the deployment of ‘whitelisting’, a technology which  blocks all unauthorized executables or applications and obviates the need for regular updates  which require downtime on the network. It is also suitable for devices which are purpose-built – such as control systems; or those that run only limited applications – such as servers.