A Collaborative Approach to Respond to CyberthreatsSecurity Leaders Offered Insights at ISMG Security Summit
Because so many organizations and government agencies are functioning in silos, a key component to India's soon to be finalized cybersecurity policy is the creation of an interministerial task force to respond to growing threats, says Lt. Gen. (Retd) Rajesh Pant, national cybersecurity coordinator.
Pant was one of many cybersecurity leaders who shared ideas for how India should respond to the growing cybersecurity challenges at Information Security Media Group's recent Cybersecurity Summit in New Delhi.
New Cybersecurity Policy
A final version of India's new cybersecurity policy 2020, is slated to be released soon.
"Under the new policy, the cybersecurity will be a function of national security, under the aegis of national security adviser, which will create an inter-ministerial task force to tackle all issues of cybersecurity and respond to threats as a single entity," Pant said at the conference.
"The new policy will focus on responding to the threats to focus on three pillars - strengthen, synergize and secure the nation against external threats," Pant told conference attendees. "It has touched all aspects of the cybersecurity ecosystem, including the testing platforms, audit standards, IoT and SCADA systems.
"The new policy will also announce the funds allocated towards the development of required skills, deploying technologies and tools, training etc., and empowering the enterprises in responding to attacks."
The biggest challenge, Pant says, which is making India victim of cyberattacks and threats is the way various departments in the enterprises and government entities are functioning in silos.
Because of this, despite deploying technologies, security controls and precautions and advisories coming from CERT-In, the cybercriminals are taking control of the enterprise systems and servers making India the second most cyber-attacked nation in the world, says Pant.
Dr. Sanjay Bahl, director-general of India's Computer Emergency Response Team, told conference attendees: "The irony is cybersecurity issues are still approached with disconnected point tools, manual processes, and inadequate staffing in a siloed fashion."
CISOs are working in a volatile, uncertain, complex and ambiguous environment, so it's difficult to keep up with atttackers' innovations, Bahl said.
Col. K. Pradeep Bhat, an adviser at the National Critical Information Infrastructure Protection Center, commented during the conference: "The nation-state threats are getting to be a challenge for critical infrastructure enterprises, because attacks on the critical information infrastructure are typically carried out by transnational and state-sponsored groups, primarily for cyber-terrorism or espionage. These actors typically have no constraints in huge investments of time and money, employing top-grade skills and building in an element of plausible deniability."
Dr. Gulshan Rai, India's former national cybersecurity coordinator, added: "We are in the era where everything is controlled by software, the CISOs are expected to work in a heterogeneous application-driven environment, and all technological innovations are impacting security adversely."
The Wrong Approach
Too many enterprises "are focused on taking a control-based, bottom-up approach in securing their infrastructure," Bhat told conference attendees. "Instead, they need to take a risk-based approach in mapping their critical information and infrastructure.
"A deeper analysis of their threats and vulnerabilities is essential, besides working on a strategy that can balance risk and security controls. Organizations should form an InfoSec steering committee that can help in taking a cohesive approach to implementing a security strategy and deviate from a siloed approach."
CISOs need to take a wartime approach, CERT's Bahl recommended. "A wartime CISO needs to channel all operations towards clearly defined, conclusive and achievable objectives, allocate adequate resources of protection of crown jewels, ensure setting up of a rapid action force ensure simplicity in cyber operations and communicate at all levels with all stakeholders in their respective language."
Bahl recommended a risk management process using ISO 31000.
"Enterprise CISOs need to look at technology and regulations from an operational point of view, which will enable them to take handle over 200 plus controls they need to put in place," he said.
Rai added: "Enterprises need to develop the capability of testing every standard or process that is adopted and build appropriate interfaces with all applications and vendor tools, even when the infrastructure or services are outsourced.
"One way to respond is the private and public sectors need to collaborate to drive innovations in building better security frameworks to fight threats. At the same time, the government will prescribe conducive regulatory policies and intelligence frameworks to them to secure the organizations, along with skill development programs."