Information Security for IPL games
In what must be considered as an alarming
development, it is reported that some computers have been stolen from the
custody of the Joint Commissioner of Police in Delhi who was in charge of
the security of the next year’s Common wealth Games.
While at first glance this appears to be a
simple theft case not worth a second glance, the situation appears far
more serious since the said computers appear to have contained security
plans for the Games. If this information falls into the hands of the
terrorists then it may be used to launch a terrorist attack on the Games.
In the light of recent attack against Sri
Lankan cricketers, the threat to sportsmen needs to be taken very
seriously.
We may point out that the custodians of
these computers did not perhaps appreciate a “Security Risk” in the loss
of comptuers. So they might not have encrypted the data. The persons who
access the comptuer may not only get all the details contained there in,
they may also get some passwords of some of the officials who may
continue to use them when new comptuers are supplied to them.
There is therefore a need for a proper
assessment of the potential damage that the breach might have caused and
adequate precautions are taken to ensure that new security plans are
developed which render the lost information useless.
While this incident may be salvaged since
there is some more time for the event, the information security agencies
must now focus on the IPL (Indian Premier League which is a major
international cricket tournament starting next month) where also security
has become the focus. There must be some computer or computers in which
details of where the team members are staying , how they travel etc are
being stored. Now we must recognize that these systems become “Critical
Infrastructure Systems” whose security may be of interest to the nation.
The Government may therefore consider declaring the
designated comptuer with IPL where the security sensitive information is
stored as “Protected System” under Section 70 of ITA 2000 and prescribe
appropriate security measures. While such notification is made,
Government can prescribe the manner in which information in that system
is accessed and impose security measures including encryption of the data
etc.
We hope Mr Lalit Modi will consider this as top
priority and an obligation to the country. The Home Minister may in
consultation with CERT and other Information Security experts order an
immediate audit of information security and initiate further steps to
prevent the recurrence of the Delhi incident.
Naavi
March 10, 2009
