Taking Stock of the Public-Private Partnership in Cybersecurity

Cherian Samuel

2014 was a relatively quiet year for India as far as reported cyber security breaches went. Nevertheless, the reported breaches highlighted the continued vulnerability of critical information infrastructure networks to cyber attack. There were reports that hackers had broken into the server of
the Airports Authority of India (AAI) and wiped data from an entire server in July 2014. A Pakistani cyber espionage campaign against Indian networks was highlighted in a report by Fireeye in August 2014. Though the researchers could not identify the specific victim organizations, they based their deductions on malware bundled with decoy documents related to Indian issues. The malware sent data back to a US server to “make it seem like the attack originated from a US server.” The government’s digital certificate Certifying Authority (NICCA) had to stop issuing digital certificates after its software was tampered with by unknown entities. And in November 2014, a tranche of Snowden documents released indicated that the UK intelligence agency GCHQ had actively intercepted data from the Reliance undersea cable network at a landing point in the UK.
Elsewhere in the world, most of the attention was focussed on the Sony hack, and particularly on its geopolitical fallout with the United States accusing North Korea of the hack. But this was by no means the most serious cybersecurity breach of 2014, in that nothing was lost by way of payment information. That trophy went to the retail outlet Home Depot, with the hack on that company resulting in almost 56 million credit card details being compromised. Nonetheless, it was the geopolitically motivated acts that continued to garner attention, with the intermittent internet outages in North Korea being seen as a US response. Another American response – the indictment of serving Chinese military personnel by the FBI in a US court for conducting cyber espionage and stealing intellectual property – led to the China’s suspension of the U.S.-China cyber working group meetings. China has also accelerated its efforts to wean itself away from US technology and maximise the use of Chinese technology and Chinese products in sensitive areas.
In this backdrop, the importance of cybersecurity to overall national security cannot be underscored enough, particularly as the government is looking to cyberspace as a major enabler of its many initiatives, from governance to education to financial inclusion. Delivery of many of these services is in partnership with the private sector which makes a close partnership with the private sector also crucial to securing cyberspace. Effective cybersecurity calls for a close partnership between the government in its role as custodian of the nation’s security, and the private sector, in both roles of information infrastructure provider as well as the provider of many critical services.
A Joint Working Group (JWG) on engagement with the private sector on Cyber Security was established in July 2012 under the direction of the Deputy National Security Advisor. The JWG released a report in October 2012 detailing the guiding principles underpinning this exercise and outlining a proposed roadmap for greater cooperation and coordination. Amongst other things, the report called for firming up of an institutional framework for partnership, capacity building, cyber security standards to be established and implemented, and the creation of testing and certification facilities for products. Nearly two years on, while there has been some progress, the roadmap still has many miles left to cover.
With information sharing being crucial to combating cyber threats, the road map called for the establishment of Information Sharing and Analysis Centres (ISACs) in various sectors. ISACs established in critical sectors such as banking, telecommunications and power are in various stages of development but are largely dependent on the nodal agencies/companies that have been identified in the various sectors. Unless the teething problems are identified and resolved, information sharing will only remain a nominal activity.
In an effort to develop Indian solutions to cyber security issues, the Joint Working Group also called for multi-disciplinary Centres of Excellence (COEs) in Cyber Security areas including best practices, forensics, cyber crime investigation, studies, research and international frameworks/institutions. As with the ISACs, many of these are also in the early stages of development.
Among the concrete achievements so far is the recognition of India as a “Common Criteria Certificate Authorising Nation,” which enables the certification of products within the country. Programmes that are yet to gain sufficient traction include capacity building and skills development programmes, cyber security awareness campaigns, as well as research and development.
The somewhat lacklustre progress in this public-private partnership would seem to indicate that the private sector does not fully share the government’s vision of the opportunities in the cybersecurity sector. The fact is that while India is a giant in information technology, there are very few companies working on cybersecurity products and services. Even the few cybersecurity companies that are there sometimes combine the twin roles of producing own products while also being vendors of foreign products. Ironically, many foreign cybersecurity companies have R&D facilities in the IT hubs of Bengaluru, Pune and Gurgaon.
The government is looking to the private sector to replicate the information technology explosion of the 1990s in cybersecurity. The fundamental difference is that information technology was more about manpower which India has in abundance and less about product innovation. 25 years on, most of the informational technology companies have remained in services without diversifying into product development.
Rather than wait indefinitely for the sector to develop organically, the government has to take a more proactive role and lend a helping hand through incentivisation and direction. Different policies must be formulated for different sectors – large, medium and small scale – to enable each to contribute optimally to the cyber-security mix.
The government might be lending a helping hand, but taking that metaphor further, it takes two hands to clap, and the private sector also has to rediscover its appetite for risk-taking and investing in product development. A number of Indian companies have explored this space but their numbers have to be much more if India is to make a mark in the brave new world of cybersecurity. Without adequate knowledge and skill-sets in this new domain, India will again be technologically dependent on other countries and foreign companies in a critical sector.