Danger! India faces shortage of 5 lakh cyber security pros
We are also talking with the Indian Government about how we might do information sharing with CERT-In. How we, in order to help the government, see threats, do malware analysis, etc, says Symantec.
Cyber threats are no less a nightmare for the Indian government than terrorist attacks as it embarks on ambitious and high-profile projects such as Digital India. With new digital initiatives and the government's renewed focus on cyber security, Symantec sees huge opportunity in India. In an interview with Firstpost, Cheri McGuire, vice president, global government affairs and cybersecurity policy, Symantec Corporation, talks about the discussions the company is currently underway with the Indian government when it comes to policies on cyber security; and lot more.
Can you tell us about the state of cyber security both, globally and in India?
Cheri: According to Symantec's annual Internet Security Threat Report, we found an increase in targeted attacks on industries dealing with critical infrastructure in India in 2014. The year also saw 317 million malware variants globally or nearly 1 million new malware daily. In India, we saw targeted attacks in businesses dealing with critical infrastructure particularly in financial sector, communication, transportation – thus underpinning the national security and economy. Among these attacks, 60 percent were on large enterprises.
In terms of ranking, India comes in third in the global threat rank by source; 3.95 percent of malicious activity in the overall percentage is detected here. India ranks No. 1 when it comes to number of social media scams in the APJ region, and No.2 globally. This is also an indicator of a population that actively uses internet and social media and the mobile penetration. Social media scams through manual sharing accounted to over 80 percent of the overall social scams in India. The country was reported with the third highest number of ransomware attacks in Asia with over 60,000 attacks per year/170 attacks per day/7 attacks per hour.
While threat landscape knows no border and is a global concern -- considering that threats can come from anywhere, the law enforcement is one of the biggest concerns in India.
With increasing advanced threats, what is the way forward?
Cheri: A broader awareness level should be the priority. This has to be on an individual level, on a small and medium business level, and also at the large enterprise level. One of the statistics that I cite frequently is of a report that was released in February this year by the Online Trust Alliance which states that 90 percent of the breaches could have been avoided with basic cyber security practices. This implies that we need better encryption, stronger passwords, data protection during transit and at rest, modern security solutions, multi-factor authentication, data loss prevention technology among others best practices. These are the basic best practices that should be applied from individual to an enterprise level. However, they are not being implemented, resulting in increasing data breaches.
The government should also take this up on its agenda and bring in the awareness. It can also re-look the policies that are put in place and amend them on basis of sector or business vertical. For instance, identifying the critical infrastructure for financial sector or energy sector and finding the information that needs to be prioritized and protected. These are the tangible steps that the government can take.
Looking at the broader perspective, global cooperation to put an end to cyber crime has improved significantly in the last few years, but it needs to go a lot further. The threat landscape needs to be analyzed carefully –- we have everything now from individual hackers, to hacktivists, to basic cyber criminals to organised crime games, all the way up to national/state sponsored attacks.
Looking at this varied spectrum, there will be a lot of disparity in the way the threats are handled and resolved. Many a times the government will have to step in during investigation and in case of subsequent arrests and detentions -- this is where cross border dialogue and diplomatic relationships will be important. Unfortunately, we don't see that many arrests yet when it comes to cyber crime as they are very carefully hidden in the big, bad World Wide Web.
We hear a lot about the Internet of Things (IoT). What are the business challenges that are coming up along with emergence of IoT?
IoT is here and the same challenges that we saw, and even see today with internet – that it was not designed with security in mind, we are facing with IoT. We believe that we have a window of opportunity right now to address the security and privacy challenges associated with IoT. We should build in a structure of security and privacy in the beginning, rather than bolting it later. This will require companies that are making such devices and applications to engineer this at the onset. But most of them today are not doing it. We had done a study about wearable technology and its security aspect in August last year; it was surprising to see how security and privacy were not factored in those devices – they were broadcasting individual’s personal information. We believe there is an opportunity to address that now.
At our end, Symantec secures over a billion IoT devices today in the world - from smart TVs to set top boxes; industrial control system; devices that control automobiles and so on. We have just released the security reference architecture for IoT and we are trying to drive the discussion at the international level around the standard for IoT security and privacy and also around connected cars security – which is big from not just a security standpoint but also from a safety point of view.
There is lot of tension between security and privacy. With Digital India taking place, what do you think is important for a company to set the security agenda that will not infringe privacy?
Cheri: We do not think that there should be any tension between security and privacy. Our belief is that you cannot have privacy without security. If your data is not secure, then it’s not private. This is a core belief for us as a company. As far as the broader concern around trust and company, the core around that is having around more transparency.
You mentioned that 90% of the businesses could have avoided the breach if basic security measures were taken. But if we talk about businesses, a recent report by PwC states that security budgets have increased as the security attacks have increased. If the budgets are going up, then where is the lacuna?
Cheri: Organisations are playing catch-up right now. They have invested very heavily in basic business infrastructure but they had not spent proportionally on security. In addition, it is also important to know – while there are reports around statistics around data breaches but the question is did those breaches actually happen a year ago and they just discovered them or they were not reported. These are the questions I usually ask – as there are many layers to that.
Regardless of that, there is a significant issue around companies not taking the right step to protect the information. This is really the key to CIIP (Critical Information Infrastructure protection). It is not about the hardware anymore and the software, per say – it’s about the data. We have to protect what we call the crown jewel – your data. There is a common phrase that is used – it’s not about if you will be attacked, but when. If you are a large or even a small enterprise and take this view from the onset and then take the steps to protect the core crown jewel will help in security data. You will still need endpoint protection, firewalls, with this you are actually protecting the data and this will be the focus. So even though one of these defenses is compromised and they got in but with data being encrypted, there is no material damage. There is other damage that can be done with breach, but this way you are at least protecting the personally identifiable information (PII) of customers.
What kind of security readiness do you see among businesses in India?
Cheri: We do a lot of activity to raise awareness around this across the world. When we talk about security – I always go back to the fundamental – people, process and technology – it always comes down to this. The people component of it cannot be ignored. It is about raising awareness not just about what they can do to protect themselves but also about what is the responsibility and what they can do to protect the company’s core assets.
At Symantec, while we have the annual security training. We have instituted and launched phishing emails against our employees to check whether or not they will click on it. If you click on it, you get a pop-up about phishing attempt. This gives a real time feedback and it is great to keep it in forefront of people’s mind. We have the same challenges as any large enterprises does and it is always important for our employees to have that training and awareness.
Deepak Maheshwari, India head-government affairs, Symantec: When one talks about readiness in India, one of the big challenges is in terms of talent. The initial Cyber Security Policy 2013 had identified a shortage of half a million cybersecurity professional. A February 2014 report of the parliamentary standing committee on IT found that at that time there were less than 75,000 people who were ready. There's a huge gap and an estimated requirement of 5 lakh cybersecurity professionals. We observed that this was a huge opportunity for India to scale up not just to protect information and assets in the country but also globally. Aligned with this, Symantec had announced partnership with NASSCOM in June to support the initiative of Cyber Security Skill Development. These are the type of initiatives in terms of public private partnerships that go a long way. Investment is one aspect, but investments not just in terms of technology, but also having right people who can work with technology better – so the interplay is better.
How critical is it for the government of countries like India to involve the private sector for cyber-security policy making?
Cheri: It is very important. I can’t understate how important it is. When you think about critical infrastructure, owners and operators are the ones who operate in this industry. Their feedback about what is actually possible and implementable is vital in determining what the policies are. We just saw for example, last month, very controversial but the draft encryption policy that was released and we were very pleased that the Indian Government released it as a draft. Now it got a lot of feedback very quickly with concerns from both Indian as well as non-Indian companies. But actually issuing that as a draft allowed industries' voice to be heard. And those kinds of consultations are very important to make sure that we get the policy right.
We want to avoid policies that are going to potentially restrict our ability to use new security technologies and to innovate. The thing is that you don't want to set a standard. Security technology moves very quickly. It can be completely changed in a year or two but you have a government policy that is actually tying regulation to an old security technology. You might not get the best protection that you need then, based on how the security innovation is evolving. So we think it’s very important for the industry to be part of those discussions, to be part of those consultations. We bring a lot to the table from expertise and what we see with our customers firsthand, how we use the technology ourselves, through trial and error.
Can you please tell what are the conversations Symantec is currently having with the Indian Government when it comes to policies on cyber-security?
Cheri: I'll talk briefly about the recent US-India Cyber Dialogue that took place in the US, which I was a part of last August. There were several areas where we were focused on. One was on encryption; the other was on telecom standards and testing; another one was on MLAT reforms (Mutual Legal Assistance Treaties) which will allow governments working together for prosecution, investigation and extradition of cyber-criminals. The MLATs are very old, based on decades-old policy views so they are not up to par with the pace. To execute a MLAT and to go after a cyber criminal can sometimes take six months. Internet Governance was the other major topic that was discussed in the Dialogue. Those are the big discussion points that the US industry is having with the Indian Government right now.
From a Symantec standpoint, we are also talking with the Indian Government about how we might do information sharing with CERT-In. How we, in order to help the government, see threats, do malware analysis, etc. We are also talking about some of our modelling and simulation capabilities. And, how we can help maybe exercise funds with lot of experience and a lot of depth of expertise in that area as well. We are also talking with the Indian government about public-private partnerships and what are the real success factors that go into them are some of the conversations.
The current Prime Minister of India is quite tech-savvy and understands technology. So what kind of opportunity do you see in India now? Can you talk about the kind of work going on with the Indian Government?
Cheri: Part of the reason why we were so active in India is we have a very large employee base and that 25 percent of our global workforce is in India. A major R&D centre in Pune, a lot of our workers on the Trust Services internet security are in Bangalore, we have one of our five global security operations centres based in Chennai. We have been here for over 20 years now, and so India is very important not just from a market standpoint but as a contributor to our technology and very important to our business and development of our products. Among the areas that the Indian Government is focusing on right now - of course there is Smart City technologies and the secure and privacy aspects there, these are obviously part of the Digital India initiative, the Unique ID programme, there is also CIIP guidelines being put out. Those are some of the areas that the government is very focused on, moving aggressively. Unique ID has already rolled out very aggressively. But I think Smart Cities is going to be one of those big ones, along with mobile payments and digital empowerment movement being the way that citizens are using technologies basically in their daily lives.
So, what are Symantec's key focus areas for the Indian market?
Cheri: I think key focus areas are financial services, telecom sector, energy sector at large also including oil & gas, these are the major critical infrastructures that underpin the Indian economy and both economic and national security are the areas that we are focused on.
Deepak: And all the eGovernance infrastructure because in India, physical infrastructure deficit for people is being made up through the digital bridging. The services should not just available but should also be available in a secure and trustworthy manner. There are several eGovernance projects which we are participating in.
Moving on, what are Symantec's plans for India, in terms of investments?
Cheri: We are very committed to this market. Symantec is currently going through a major corporate restructuring with the sale of Veritas. But we have no intention in our strategy of scaling back our investment in India. It’s a very important market not just from a sales temperament but from talent perspective as well. Apart from the NASSCOM initiative, we also took initiatives to really engage more with the government on the public policy.
Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.
The petition sought directions to the ministry of electronics and information technology to ensure that Whatsapp does not share any user data with Facebook or its associated apps.
WhatsApp now says it is now going to use the three-month delay to better communicate both the changes in its new policy and its long-standing privacy practices