“There are two types of organisations: those who have been hacked and those who don’t yet know they have been hacked.”
I recently stumbled upon this quote by John Chambers, executive chairman and former CEO of tech giant Cisco. It accurately describes where we in India are in terms of cyber security.
The recent data breach of debit cards left an estimated 3.2 million Indian customers vulnerable and is said to be the biggest such rupture in the country’s banking system to date. What happened was scary, but not entirely unexpected. Cyber security continues to be an after-thought in every sector in the country.
The Indian growth story is premised on startups so I asked a bunch of technology entrepreneurs how they balance agile product or service delivery and overall security. Their answers worried me. If those at the cutting-edge of technology treat cyber security as a “good to have,” it is overambitious to expect others to act differently.
We are at the beginning of the 4th industrial revolution which would bring about the fusion of the physical, biological, and digital worlds. This fusion will churn out enormous amounts of data, fueled by ubiquitous connectivity, personalised computing, and advanced analytics. While this will empower people and organisations, it will also increase operational, systemic, and strategic risks in ways that are hard to predict.
Today’s cyber threats are annoying—they reduce efficiency and productivity, and drain resources. Tomorrow’s cyber threats could cause physical harm.
“Clouds of a bloodless war are hovering over the world,” prime minister Narendra Modi said while inaugurating the Digital India Week last year. He was referring to the growing worries across the world over cyber security. I reckon that cyber war might not be bloodless after all.
Think of self-driving cars and planes, a reality in the not-so-distant future. Imagine if someone hacks into the system that controls the sensors. It could cause mayhem at the push of a button. Think of healthcare data being used for predicting epidemics and planning interventions at the right stage. What if malware creeps into that? It could potentially wreck the pharmaceutical, insurance, and healthcare sectors.
So what must be done to avoid such a collapse of entire systems that cater to millions of Indians?
Public-private partnership for cyber crime is the only sustainable solution. And for this to be achieved, trust is essential and that’s where matters become complicated. World over, governments and private players have locked horns over issues such as data ownership, liability, audit frequency, among others.
Certain tools exist in the form of laws, conventions, industry initiatives, and information-sharing platforms. However, this does not suffice. Cyber crime is too complicated and too important to be left to the whims of any one stakeholder. Instead, the public and private sectors must combine forces to find symbiotic ways to tackle it.
The World Economic Forum’s (WEF) Cybercrime Project, premised on transparency and accountability, aims to evaluate existing laws and conventions, private sector industry standards, and, most importantly, encourage dialogue and cooperation on practical ways of dealing with cybercrime. These recommendations, however, are only the first steps towards achieving mutual agreement on the fundamental actions.
The recommendations include the following:
Public and private sectors should share more information related to cyber threats, vulnerability, and consequences.
They should work to create new platforms, strengthen existing platforms, and coordinate these platforms to increase information-sharing and improve investigations and prosecutions.
They should cooperate to encourage and advance wider adoption of the Budapest Convention on Cybercrime, or, of the principles it promotes.
Public and private sectors should work to build trust and discuss contentious topics related to cyber crime, such as encryption, cloud servers, data access and protection of privacy, to find appropriate solutions.
They should engage in other strategic initiatives such as collective action facilitated by non-partisan organisations.
Over and above the framework advanced by WEF, the competitive federalism model for cyber crime might work well in India. Executed in collaboration with World Bank and the department of industrial policy and promotion, this model delivered impressive results to gauge the ease of doing business rankings for different states. Now NITI Aayog has suggested a similar model for education. A concrete step forward would be the states competing with each other and partnering with relevant private sector organisations and non-profits to ensure cyber security.
At the national level, a three-pronged strategy should define our approach:
Protect all endpoints—from sensors and chips to data centres.
Detect malware using targeted signals, behavioral monitoring and machine learning.
Respond in time and bridge the gap between discovery and action. To share an example of the kind of lag usually involved, the hackers who leaked Sony Entertainment’s confidential data in 2014 had access at least one year before its eventual discovery.
The Indian banking system data breach is a wake-up call.
We can choose to do what we are doing right now: shirk the blame and point fingers at each other. Or we can take ownership and prepare a comprehensive national strategy for cyber defence.
In the words of Jean-Paul Sartre, “We are our choices.”