Let's Build a Responsible Cyber Society



Conference on Cyber Security

Confederation of Indian Industry Southern Region (CII) held a one day conference on Cyber Security at Hotel Accord Metropolitan, Chennai on 24th April 2010. This is a brief report (from Naavi as a speaker/delegate) on the proceedings of the conference. P.S: This is not an official report of CII and contains only the personal observations of Naavi.

CII is a key industry association which represents a wide section of the industry both from the IT and non IT segment. CII-South is currently headed by Sri Kris Gopalakrishna, CEO, Infosys, as Chairman. CII South has created an Internal Security Task Force of which Sri R Srikumar, former DGP of Karnataka is the Chairman. Gp Capt L V Mohandas is the head-Internal Security and IT (South). The task force organized an event in Chennai on 24th April 2010 in which several representatives from the industry and Government participated and deliberated on issues concerning Cyber Security.

A Copy of the entire programme can be found here. A copy of the profile of the speakers can be found here.

During the inaugural session Sri R Srikumar the Chairman of the task force introduced the theme of the conference and highlighted that Article 51A of the Indian Constitution mandated certain duties on the Citizens on actions required to be taken in the interest of the security of the nation. He called upon the industries to also undertake appropriate security initiatives as a part of their CSR initiatives.

Mr T. Rajendran, Commissioner of Police Chennai highlighted the nature of Cyber Crimes and the difficulties for the Police in tracing out crimes which are borderless and technologically complex. Mr N Lakshminarayan, Vice Chairman, Cognizant in his keynote address recalled many Cyber Security incidents and how Companies need to address the training needs of employees as a key element of risk mitigation efforts.

Mr P W C Davidar, the IT Secretary of Tamil Nadu who has been in the national news recently after his path breaking judgment in the case of a Phishing Complaint against ICICI Bank in which he held the Bank negligent under Section 85 of ITA 2008 and liable to pay compensation to the Phishing Victim, (Copy of the Judgement available here) urged the intermediaries including Banks not to rely on "Fine Print Disclaimers" and hard sell technology intensive services to customers who donot undersstand the risks. He said that private sector Banks with their aggressive marketing strategies are adopting such hard sell strategies while Government Banks are more circumspect. He also indicated that TN will shortly announce a State Information Security Policy that may guide e-Governance projects in the State.

In the first technical session that followed, representatives of RBI, SBI and Vysya Bank presented their perspective on Cyber Security issues. While they admitted the risks such as "Phishing", they defended the current security practices such as the two factor authentication and held that customers need to be more vigilant. Mr C V G Prasad, of ING Vysya also felt that the software companies need to build security as a part of their solutions supplied to Bankers. The group however did not recognize or debate the recent judgment of Davdiar on Bank's liability for Phishing. It was not clear if the lack of debate on this judgement was due a desire to avoid an embarrassment to the Banking system, or that the group had not recognized the implication of the judgment on Bankers.

The second technical session which followed, focused on the subject of "Cyber Forensics". Experts from the industry highlighted the nature of Cyber Forensics and steps to be taken by companies to prevent data breach incidents.

In the post lunch session on "Policies and Laws", Naavi highlighted the impact of ITA 2008 on Corporate Governance requirements under Clause 49 of SEBI listing. He highlighted that compliance of Clause 49 included a CEO certification that "All regulatory requirements are complied with" and indicated that many companies might have completely ignored the requirements of compliance under ITA 2008 which came in to effect on October 27, 2009.(Copy of presentation available here). He urged the Companies to undertake a suitable ITA 2008 compliance audit to assess the risks and then take appropriate action to mitigate them

In the next two sessions, experts in Cyber Terrorism and Cyber Warfare explained the concept with several interesting examples and highlighted the risks. The experts highlighted the risks arising out of Chinese polices and how China has been pursuing a highly effective policy to build cyber warfare capabilities. They urged that suitable action needs to be taken in India to counter such risks. Experts also highlighted how USA and other countries have created a "Cyber Command" and accorded priority for securing their country against Cyber attacks. Defense in Depth as well as requirement of an Offensive action were discussed. (P.S: The presentations of the speakers would be made available shortly by CII and when available the links would be posted here)

The conference concluded with Capt Mohan Das assuring that CII would present a recommendation to the Government based on the deliberations held in the conference.


April 25, 2010

Related Article:

Land Mark Judgment in Phishing Case

An Open Letter to IBA Chairman

Copy of Naavi's presentation

Indian National Cyber Security challenges

Issue of Cyber Laws For CxOs on Cyber Crimes

Comments are Welcome at naavi@vsnl.com