Role of Corporate Sector in National Cyber
Security
By
Naavi
Na.Vijayashankar, Founder
www.naavi.org,
www.cyebrlawcollege.com
Chairman, Digital Society Foundation,
Director, Ujvala Consultants Pvt Ltd
Netizen’s Role in
National Cyber Security:
National Security has been
considered as a function of the sovereign responsibility. The public pay
taxes from which the Government is expected to maintain the Military,
Police and other facilities for defending the country and its assets. The
role of the Government extends to a reasonable extent to the protection of
private assets of its Citizens. This thought process has been undergoing a
change in the current times. Companies today organize their own security
within their premises and sometimes in the immediate vicinity. However as
of today, private companies are not expected to participate in the border
security or military security.
In today’s Digital
Economy, a substantial part of Corporate and Government assets is
constituted by “Cyber Assets” which are mainly in the form of “Information
Residing Inside a Computer Resource” or “Information in transit in Cyber
Space” or “Information in storage in external media.
When it comes to fighting
a terrorist attack in a corporate premises, the Government has more
expertise and resources than the private sector. On the other hand the
expertise and resources required for fighting any assault on “Information
is available more with the private companies than the Governments of the
day”. Just as the private sector expects the Government to rush NSG guards
when there is a terrorist attack on a corporate premises, Corporate sector
should consider if their expertise should be made available to the
Government for defending the Cyber assets when required.
Yet another important
difference between the Cyber Security and Physical Security is that the
Cyber Space does not have well defined borders which can be defended by the
military against the external aggressors. If the Government can maintain
its borders protected, the citizens can be free of external threats.
In Cyber space however the
border between the physical world and the cyber space lies inside every
computer or mobile which is connected to the Internet. A mobile in a remote
village inside the country can be the entry point for a Cyber Enemy to
enter the Indian Cyber Space in the form of a Virus or a Trojan. Once
inside the country it will be like a terrorist who has infiltrated the
country. The defense gets complicated. Any attempt to fight the infiltrator
can inconvenience an innocent bystander. There will be Privacy and Freedom
of Speech protectionists who emerge as saviours of the victims and
discourage any tough measures of security.
A typical example of how
insecurity of a desktop can affect national security can be understood in
this hypothetical case.
“Raghu the 14 year old son
of Raju a Corporate executive, downloads a free computer game on his
domestic computer. He also downloads certain “Cheat Key Installer” from a
website to win the games easily. The installer gives Raghu the cheat codes
for winning the game and he is happily on a gaming expedition.
The Cheat
key installer however has a malicious code which gets installed in the
computer despite the up to date anti virus software installed because
Raghu permitted the disablement of the anti virus software during the
process of installation.
Raju uses
the computer to send e-mails to his friends and official contacts, log in
to his Bank, download and upload files from his mobile.
One of
his friend’s friend is a Government official who works in the defense
department and carries confidential and sensitive data in his computers.
The
Trojan which Raju has downloaded with his cheat code, worms its way to
other devices and extracts information from many of the user computers it
has infected and mails it to an external source in China.
Through
this breach, persons in China extract important information and use it
against the interests of the Country”.
The net
result is that an enemy gains access to defense information by first
worming his way into a child’s home computer.
Though
the above is hypothetical case, it highlights the risks arising out of
living in a “Connected World”.
Without protecting every
computer or mobile connected to Internet, it is not possible to protect our
Cyber Space. The role of every Netizen and more so the Corporate Netizen is
therefore imperative in National Cyber Security.
The role of Corporate
Netizens become important since many of the critical sectors of economy and
defence are in the hands of private sector. Most of the large companies
access Internet through their own satellite connections by-passing the ISP
network which ordinary citizens use. Many of the corporate employees also
travel abroad, carry their laptops in and out of the Company as well as in
and out of the Country and the possibilities of their computers getting
infected and spreading computer viruses are as easy as the flu viruses.
Action is therefore needed
at every corporate entity and they should join the fight against Cyber
Threats with the Government.
Four Dimensions to
Corporate’s Approach to National Cyber Security
There are four
dimensions to what a private sector corporate entity can do to contribute
to the Cyber Security of the Nation.
These are
- Self Security :
The Country’s cyber space consists of the following three elements.
- Cyber Space created
and used by the Government
- Cyber Space created
and used by the Business/Corporate entities
- Cyber Space created
and used by the Individuals.
The role of the corporate mainly comes in managing the Cyber Space used
and created by them. This includes the corporate resources, and the
resources which are under the control of their employees. Under the ABC
principle of management we can say that the Corporate Cyber Space is a
substantial part of the Total Indian Cyber Space. This space includes the
Banks, Stock Exchanges, E-Commerce Sites, IT Companies, Non IT Companies,
ISPs , MSPs, etc.
The employees of these companies are also the computer literate persons
who use computers day in and day out and also may have home computers,
laptops, GPRS enable mobiles etc.
Hence this segment is a key constitutent of Cyber Space and if every one
of the business entities secure their cyber space, perhaps a substantial
part of the security issues can be considered as addressed.
In managing the security of Cyber Space, Companies need to ensure
Physical Security, Network Security (Including Wireless Security),
Application Security and Document Security.
The security at the technical level is normally ensured through
appropriate Firewall, Intrusion Detection Systems, and Encryption
supplemented by an effective Disaster Recovery and Business Continuity
Plans. But Companies often ignore to upgrade their technical security
measures with legal compliance.
Unless the security is techno legally sound, the Information asset owner
is not adequately protected from the risks arising out of Cyber Crimes
either from within the organization or from outside.
In order to meet the Techno Legal Information Security requirements,
Companies need to undertake legal compliance audits particularly ITA 2008
compliance audit and take the necessary compliance measures. In order to
fully meet the requirements of ITA 2008 compliance, companies may take
guidance under the voluntary security standards such as the IISF 309
(Indian Information Security Framework: Refer for details at www.naavi.org)
.
Companies engaged in the Intermediary services such as ISPs, MSPs, Cyber
Cafes etc need to also institute security measures which assist the state
in their “Cyber Patrolling duties”. These are absolutely essential from the
National Security view point.
Some companies both Indian and Foreign provide shelter to criminals by
providing an automatic IP address hiding facility under the mistaken
impression that such a measure is required to protect the privacy rights of
an individual. As a result, the law enforcement authorities are put to
needless difficulty in investigations often helping the offenders to
escape. Such acts can expose the company directors and management to
vicarious liabilities.
ITA 2008 after the recent amendments has very strict provisions for data
retention and provides enormous powers to the Government to seek traffic
data and other information from any Company and failure to provide such
data on demand may have serious consequences on the Company.
2. Developing a Security Culture within the Organization
In order to meet the requirements of ITA 2008, Companies need to
undertake a comprehensive Techno legal information security plan which
includes undertaking appropriate Cyber Law awareness training for their
staff and adequate investments in technical security as well as legal
compliance. Top management attention is required in this matter since law
expects the Board Directors and CEO to take legal responsibility in case
the security system is inadequate.
The effort should be to develop a security culture in the organization
which is self sustaining. This should include incentives and disincentives
for staff who violate the security prescriptions.
- Assisting the
Government in its Security Functions
As a good
corporate citizen, every company has a role to assist the Government in its
security duties. For this purpose the Information Security officer of the
Company needs to keep in touch with the Cyber Crime Police in the City and
ensure appropriate information exchange as may be necessary. Some of these
requirements are now part of ITA 2008 as well.
4.
Contributing to the Development of Cyber Security Culture in the Country
Public-Private collaboration in setting up Cyber Forensic labs, organizing
“Cyber Crime Insurance”, “Conducting public outreach programmes” etc are
part of the initiatives which companies can take in the interest of
maintenance of a safe Cyber Security Environment.
India is
still not self dependent in respect of computer hardware and software. This
dependence on external sources is a serious security risk for the country.
Indian corporates who are today emerging as global leaders in different
industry groups should consider large investments in the Computer hardware
sector and for development of indigenous operating software and
applications.
Companies
need to invest in R & D so that the Country becomes self dependent in the
IT Environment.
It is
needless to say that the Government has a huge role in encouraging the
private sector for the development of the IT Infrastructure in the Country
so that in the coming decade, India emerges as self sufficient super power
in the field of Information Security. Only in such an event we can
adequately counter the Cyber terrorists and Cyber warfare.
Government and the academic institutions also have a lot to contribute in
revamping our education system to ensure that Cyber Security specialization
is part of advanced studies in the country. Since higher education in the
country is also in the hands of the private sector, there is scope for the
Corporate Houses to invest money in developing international standard
institutes specializing in Information Security. The Government of
Karnataka has expressed its readiness to support any such venture in
Bangalore in a bid to make Bangalore the Information Security capital of
India. Companies with futuristic vision should take this opportunity to
make the right investments at the right time and at the right place and
reap the benefits of Information Security leadership.
Naavi
[Comments
Welcome]
Comments are Welcome at naavi@vsnl.com