India has tremendous scope to enhance its cybersecurity readiness
Jared Ragland, Director for Policy in APAC for BSA - The Software Alliance speaks to Tech2 about ideal cybersecurity policies
Leaders of the world today have an additional challenge to worry about - cybersecurity. With cyber attacks getting bigger, stronger and smarter, no country can afford to ignore this looming threat. Jared Ragland, Director for Policy in APAC for BSA - The Software Alliance speaks to Tech2 about ideal cybersecurity policies and also sheds some light on how India compares to the rest of the world in terms of cybersecurity readiness and shares pointers . Ragland previously served as the U.S. Patent and Trademark Office Intellectual Property Rights Attaché in the Shanghai Consulate General. Before that, he served as Director in the Office of Intellectual Property and Innovation in the Office of the U.S. Trade Representative.
Is there an ideal cybersecurity policy for a country? If yes, what does it entail?
With the growing publicity of high-profile cybersecurity incidents, governments around the world are becoming increasingly aware of security considerations. In order to establish a secure environment for their information technology (IT) infrastructure and related assets, it is imperative to create a solid foundation to thwart any risks and fundamentally support the furtherance of security measures. A clear and flexible policy based on solid legal foundations will ensure that both public and private entities are well equipped to face the cybersecurity challenges of a connected world.
A strong legal cybersecurity framework is comprised of the following building blocks:
Cybersecurity Strategy: A key foundation of the framework is the cybersecurity strategy, which should be a complete analysis of the country’s cyberspace capabilities, a prioritization of where it needs to focus its resources, an assessment of the security of its national information, and an inventory of its information technology assets. It should contain clearly articulated principles and priorities that reflect societal values, traditions, and legal principles. A strong cybersecurity strategy should be a “living document,” updated as required, to respond to emerging cybersecurity issues and emerging threats.
Operational Entities: Incident-response capabilities should be established to manage the most critical and significant events that threaten the confidentiality, integrity or availability of nationally significant information networks and systems. Computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) can play a crucial role in improving cyber resilience.
Public-Private Partnerships: Strong partnership between public and private sectors should be established and maintained because the private sector builds, manages, and operates much of the critical infrastructures we rely on every day.
Sector-Specific Cybersecurity Plans: Developing effective and targeted sector-specific cybersecurity strategies will help address the unique risks or specific operations of certain sectors.
Education: Because cybersecurity is an issue of national significance, public education and awareness-raising campaigns to support general awareness of cybersecurity among the citizenry and to promote the training of needed cybersecurity specialists will play a crucial role.
What would you define India's cybersecurity readiness as?
India and the other APAC markets have tremendous opportunities to enhance their cybersecurity readiness. India is among the countries in the Asia-Pacific region that have been slow in producing comprehensive national cybersecurity strategies. India’s National Cyber Security Policy was adopted in 2013; however, the plan has not been fully implemented and the legal framework supporting cybersecurity remains undeveloped. India has avoided many policies that would undermine cybersecurity providers, but it does maintain local product testing requirements regardless of whether the products may already have been tested and certified by internationally accredited labs. Such requirements can undermine cybersecurity by straying from globally accepted norms and increasing costs for consumers by requiring the development of country-specific solutions.
India has an active CERT (CERT-In) that effectively collaborates with the private sector; it has also promoted public sensitization and awareness of cybersecurity. However, rapid growth of cyber threats argues for urgency in seizing opportunities to improve upon the current foundation. Dedicated private-public partnerships will help policymakers identify key areas of intervention and work accordingly. There is a need for guidance that is tailored to the business needs of particular entities and that allows unique risks or specific operations in certain sectors to be addressed in a flexible manner.
It is imperative that the Indian government seize this opportunity to enhance the legal, policy, and operational environment for cybersecurity by implementing policies and frameworks that are stable and clear, while risk-based and flexible to adjust to evolving threats. It is also critical to avoid requirements that mandate the use of certain types of technologies and local standards. Finally, it is critical to establish public-private partnerships to leverage the private sector’s experience to improve risk management effectiveness.
Do we have a strong enough legal backbone in India to support cybersecurity policies?
The National Cybersecurity Policy was established in 2013, the Joint Working Group on Public Private Partnerships in Cybersecurity was established in 2012, and the National Cybersecurity Task Force by NASSCOM was created last year under the mandate of the Prime Minister. These are all indications that the government recognizes the need for a strategic cybersecurity policy. However, there is a strong need for the government to effectively implement the National Cyber Security Policy.
Some high-profile breaches have encouraged governments around the world to consider how to best prevent, detect and react to such incidents. The exchange and sharing of the appropriate information at the right time, coordinated among relevant actors, is considered the best way to reduce and mitigate risks and respond to cyber incidents. India should establish a legal basis for appropriate information sharing between the private sector and the government, and among the private sector, while ensure appropriate safeguards for the confidentiality of sensitive and personal information.
The threats of the future are only going to get worse. How do we prepare for that?
We prepare for the threats of the future by ensuring that clear but flexible national policies support agile private sector solutions that are best able to respond to what is truly a global threat.
In July 2013, India declared its National Cyber Security Strategy and it should now take the next step and fully implement the strategy. The government should establish a hierarchy of priorities based on an objective assessment of risk with critical assets and sectors. Such an effort should be verified and adjusted according to changes in the technological and threat environments. This will ensure that the level of cybersecurity is constantly enhanced.
It is important that the government takes a technology-neutral approach to cybersecurity protection as this will ensure access to the most secure and effective solutions available. Implementation of these processes will enhance India’s cybersecurity preparedness and place it in a better position to mitigate the risks.
Finally, it is important to note that considering the global nature of cyber threats, cybersecurity should not be addressed in isolation. An international approach should be sought. Coordination and collaboration between governments and private sector entities from around the globe are key elements to achieving an effective approach to cybersecurity.
Is India aware of cybersecurity risks and also about reporting such incidents?
The Government of India is very aware of the challenges and its leaders are working hard to address them. CERT-In is the nodal agency responsible for dealing with national cybersecurity threats. It is responsible for forecasting cyber security incidents and taking emergency measures for handling such events. It coordinates cyber incident response activities and issues advisories relating to information security practices and procedures.
The recent Apple-FBI case sparked up a lot of debate on cybersecurity policies, what is your take on it? Will we see more of such cases in the future?
BSA filed an amicus brief along with other tech industry leaders in support of Apple. The legal arguments there are specific to US law, but globally speaking we have grave concerns over calls for weakened encryption, back doors, and the implications they present to privacy and security.
We and our member companies have great respect for law enforcement officials and their efforts to investigate and prevent crime, and we are committed to finding balanced solutions that protect the safety and privacy of our citizens without damaging public trust.
Encryption remains an incredibly important topic beyond this particular case. It will continue to be debated, and it is important that we continue to work to find the best balance when meeting security-related challenges.
Android app secretly records users every 15 mins, was listed for a year before going rogue
A popular Android app was found to be recording its users without their consent at an internal of 15 minutes. The app was one of the most popular voice recording apps on Android. The malware had laid dormant for over a year since it was uploaded to Google Play Store.
ChatGPT under scanner: Canada to investigate OpenAI’s chatbot over privacy concerns
Canadian privacy regulators are launching a joint investigation into OpenAI, probing if the company has obtained proper consent for collecting, using, and disclosing personal information from Canadian residents via ChatGPT.
AIIMS Delhi hit by fresh cyberattack
AIIMS Delhi faced a cyber attack last year as well which paralysed its servers and disrupted functioning at AIIMS, including appointments and registration, billing, laboratory report generation, etc.