India’s growing information technology (IT) infrastructure faces security threats in the form of virus attacks, forced crashing of systems and hacking. Last year, for example, the Stuxnet worm is known to have attacked utility companies in India, among other countries. Besides that, the computer systems of the ministry of external affairs and a few defence establishments also came under attack. Samir Sachdeva spoke to Pamela Warren, cybercrime strategist and director of global public sector and critical infrastructure initiatives at McAfee, a leading internet security agency, about these perceived threats and possible solutions. Edited excerpts:
What are the major cyber threats that India faces, according to your recently released report on global critical infrastructure?
Last year, many companies faced destruction of data or disruption of services and such attacks have increased this year. The security infrastructure has however not necessarily grown accordingly. In India, several companies have suffered from disruption of services and data theft and there is a growing concern over security preparedness both at the level of the companies and the government. Interestingly, while many companies believe that the government may not be prepared they are still hopeful that the national IT policy might still help mitigate these issues. In fact, there is a worldwide belief that regulation will somehow solve it all. But the flip side is that when there is too much focus on regulation and compliance with the checklist designed for it the focus may shift from securing the network. On the other hand, when the executives request for more security budget and head count, because they have to deal with some of these security issues that had been ignored before regulation was put in play, they can certainly get the budgets they have been requesting because all of a sudden it becomes the highest priority to comply.
How do you define critical infrastructure with respect to the government?
It is a challenge for the government because it needs a number of resources in order to try to mitigate risks, particularly here in India because so many of these responsibilities fall on the government. The other challenge that the government faces is to have in-house cyber security talent so that it does not have to depend on outsourcing all the time. So, there are issues of manpower as well as cost. This is not just in India; governments around the world are facing these challenges.
How vulnerable is our critical infrastructure, such as power grid or air traffic control?
There are three main threats: sabotage, exfiltration of data or data theft and extortion. In case of sabotage, of air traffic control or power grid, it’s very clear that we are going to lose power in certain segments of the grid. Obviously, any such sabotage will be a big blow to the government which will be forced to either pay off the demands or deal it with otherwise. Exfiltration of data is even harder to deal with. It is important how the stolen information is going to be used. Exfiltration of data can have an impact on the business along with the government. The information on what decisions have been made can give competitive advantage to those who procure it by stealing. I think exfiltration of date is the scariest threat to deal with because you don’t know what the outcome is going to be. And you certainly don’t know in many cases or have knowledge of when this malware is being planted to do the exfiltration, how long it has been there, what information has it now stolen and exfiltrated out of the government network.
Are these cyber threats most likely to emerge from China and Pakistan?
From a vendor’s point of view, it’s very difficult to pin the blame without additional inside information. When it comes to economic advantage, it can almost be any country. I would like to say that we as nations don’t take care of all our vulnerabilities. Our cyber security preparedness is like keeping the front door open for robbery. So can we really blame that other country? Or do we need to look back at ourselves in terms of protecting ourselves. Am I doing everything to protect that data, or am I going to blame the other guy for stealing it because I did not appropriately protect it?
What appears to be the purpose of these threats – spying, derailment of infrastructure or something else?
Without knowing the specific details of the attack, it is difficult to tell. The Stuxnet attack, for example, could have been a case of sabotage in this country. I think the broader thing is use of it as a wakeup call before it does bring down the entire grid, or it does bring down the IT infrastructure of the government. The Stuxnet could have created much more damage to us around the world than it did.
Is the Indian IT Act enough to deal with cybercrime? Shouldn’t we have a global mechanism when we know cybercrimes happen across borders?
One of the things that the global fraternity has been talking about is how much do we outsource to the countries which lack cyber security laws. And I think countries around the world need to be cognizant of that reality. As the number of data breaches increase around the world regardless of the location, there will likely be more and more attention on the data protection legislations. The European Union has very stringent data protection laws. Australia is considering this for some time. The US has an approach that differs from state to state and now it is looking at the federal level too. Canada is very stringent as well, just like the EU, and so the question is whether we should send data to a country that doesn’t have privacy laws. I think that would be a challenge. I think countries will be very concerned about it and will demand protection for the data and that’s again presuming that data is what’s being outsourced and not other types of services that don’t bring as much risk.
