What's Wrong with Public, Private Partnerships?Security Leaders Discuss Plan for Building Effective PPP Framework
Even though India lacks a formal breach response mechanism, public and private sector players have nonetheless initiated unofficial efforts to share information and collaborate in the face of increasingly sophisticated and coordinated attacks. While government is increasingly dependent upon private and public sector participation in tackling cyberattacks, a plan to develop a true public/private partnership framework is missing.
What are the proven, effective ways of bringing parties together to focus on improving the nation's cybersecurity posture? How can informal PPP be amalgamated into a formalized framework in India and throughout Asia? These questions were discussed recently at the Data Breach Summit Asia 2016 in Bengaluru, hosted by ISMG. Participating in the panel were S.N Ravichandran, Cyber Investigator and DSCI Anchor, Cyber Society of India; Manoj Agarwal, Head of Internal Audit, Metro Shoes Limited, Member - Guidance Development Committee, IIA Inc; A Shiju Rawther, Assistant Vice President-Technology, Credit Information Bureau (India) Limited; K S Narayanan, CISO, PwC India; Vikrant Varshney, Chief of Risk Advisory Board, Risk Resources; Vijay Subramanyam, Partner, KPMG; Vivek Chudgar, Senior Director - Consulting, APAC, FireEye.
"The concept of public and private partnership framework is only confined to industry discussions, there is hardly any impetus given to the subject at the enterprise level," says CIBIL's Rawther. "Organizations should lay emphasis on driving the partnership culture, and security practitioners need to lead the discussions within their organizations."
Data Sharing Essential for Partnership
Experts believe that one of the main reasons behind the ineffectiveness of the model is failure to understand and assess the role of partnership in tackling cyber threats. More often than not, organizations and the government agencies are reluctant to share information.
It's all about mindset, says Rawther, who argues that it's time organizations at large changed their approach to sharing the relevant data with other companies, bodies or forums.
But it seems to be easier said than done, says Subramanyam of KPMG, as he sees most private organizations are often subjected to contracts. "They will have confidentiality clauses and anti-trust clauses. The government organizations have official secrets act and many others, which prevents them to disclose critical information," he says.
"Other constraints for collaboration are lack of legal framework to support the collaborative models providing clarity on what needs to be shared and how it should be used; some of these solicit answers," says Subramanyam.
Chudgar of FireEye firmly believes sharing of intelligence by the government is critical. "If the government is ready to share near real-time intelligence with private sector, many can benefit out of it," he says. "Similarly, private sector companies need to realize that sharing information on what kind of attack happened and what malware hit them is not a bad idea."
Some argue that the fear of sharing of information only indicates that there is lack of transparency among the stakeholders - a big bottleneck to establish a partnership model.
PWC's Narayanan says currently there is a clear lack of visibility between the public and private sector organizations on who is doing what. "It's not just between the sectors; there is no understanding of the work done by various industries within these sectors," he says. "Besides, there is no common objective for participants to contribute."
He says banking sector is a good example for others to follow.
"There are formal and informal communications happening among different organizations within the banking sector because there is a clear objective and clear stakeholders," he adds. "Similar approach can be emulated by the other industries that help in tackling threats."
Justifying Public, Private Partnership
Despite multiple shortcomings, there are some concerted efforts being made by a few states to establish effective models.
Varshney of Risk Resources points out how the Cyberabad Security Council (SCSC), a non-profit firm jointly created by the Cyberabad Police commissioner team and the Hyderabad IT Industry, has collaborated with academic institutions to train the staff in cyber security.
According to him, given that the government is unable to keep up the pace with which the private sector organizations evolved in the past few years, it would be ideal to extend them the right support in taking the initiative. "Government should go beyond their conventional strategy and rope in the private enterprises in establishing a policy and framework, while administering certain controls," says Varshney.
Rawther, who has been associated with Kerala Police in establishing a first-of-its-kind cyber innovation centre-Cyberdome in the state to fight online crime, says that an effective partnership ensures ROI for both the sectors. "Lack of skill-set was one of the biggest challenge faced by the state government while setting up the Centre," he says. "To resolve this issue and to ensure private sector participation, the police department invited Infosec professionals from the industry as Cyberdome officers to train the State police."
The initiative helped the security professionals to establish their credentials by associating with the government project, as they were credited with government ID cards, given Stars and ranks based on their contribution, Rawther says.
The Way Forward
Experts say the private public partnership initiative is a tricky affair, with stakeholders trying to pass the buck over and again. Some argue that bringing in more subsidies would encourage private players to participate in developing cyber defences.
Offering subsidies, says S.N Ravichandran, are certainly not a long-term solution.
"Government should limit itself as a monitoring body and step in when there is a legal problem or when the private partner requires empowerment to access confidential data," he says.
"Experts believe there is a need to build more clarity on the nodal agencies model that government is proposing, with clear objectives and its working model.
Rawther highlights the need of a centralized body that can make it a mandate for every organization to share the relevant data in the event of a breach. "That is the only way to build and percolate the best practices to other organizations," he concludes.