dian enterprises have done little to share information on cyberattacks, at a time when the US is in the middle of deciding on the Cyber Security Information Sharing Act that would make the process easier.
India’s enterprises, startups and government are concerned about cybersecurity, but are not giving enough thought to share information, said Bryce Boland, Asia-Pacific CTO at cybersecurity firm Fire-Eye. “Information sharing is absolutely critical to cybersecurity,” he said. For instance, when one shares the information, it helps the other to prepare against a similar threat. “If you are an attacker and you know something that nobody else knows, you can take advantage of that as long as nobody knows or understands what you are doing,” Boland told ET.
The more tangible benefit of sharing information is that it would bring down costs significantly for the entire business community, said Boland. When enterprises work in isolation, each would end up paying similarly for an attack, increasing the cost and time incurred to fix a similar issue.
In 2012, after Nasscom and Data Security Council of India (DSCI) published a report, ‘Securing our Cyber Frontiers’, stressing on the importance of sharing information on cybercrime, a joint working group was set up under the chairmanship of the deputy national security adviser.
The group had suggested the “private sector will set up Information Sharing & Analysis Centres (ISACs) in various sectors and cooperate with the sectoral CERT (Computer Emergency Response Team) at the operational level”.
Following these recommendations, an ISAC was set up in Hyderabad last year with the support of the Institute of Development and Research in Banking Technology.
“The idea is that the sectors will know what kinds of attacks are being seen within their community,” said Dr Kamlesh Bajaj, former chief executive of DSCI. For example, if a particular bank is being attacked, and they share the details of the attack such as the origin, type and IP addresses of the attacks and so on, the entire banking community could benefit and prepare a collective defense.
Critics of information sharing often cite privacy concerns about such a practice, but these issues have been addressed in the recommended framework in India. “This sharing is under strict conditions of anonymity — (information such as) which bank has been attacked, or if there is any compromise or actual data lost, will not be revealed,” said Bajaj. The model can be extended to other sectors such as telecom, health, energy, infrastructure and stock exchanges. However, these initiatives would have to be driven internally by the industry, say experts.