New Indian Budget Doesn't Mention CERT-FinWhat's Leading to Delay in the Launch of New Initiative?
When the Union government announced its budget for 2018 on Thursday, there was no mention about the progress in launching a Computer Emergency Response Team for the financial sector, or CERT-Fin, or any cybersecurity incentives for the financial sector.
A year ago, India's finance minister, Arun Jaitley, included a cybersecurity proposal in his budget speech to the Indian parliament for the 2017 financial year, announcing plans to form CERT-Fin for the financial sector with assured budget (see: The Challenges in Building a CERT-Fin).
But CERT-Fin has yet to see the light of day.
Some security leaders say three contributing factors leading to the delay in the rollout are the lack of: a definitive approach by the government, a governance model associated with certain technological challenges and a realistic framework for this activity.
"Formation of CERT-Fin requires a completely different approach and establishing clarity on who takes the ownership: Is it the government, RBI or any other body?" says C.N. Shashidhar, founder and CEO at SecurIT Consultancy. "Besides, the breach reporting structure also needs to be established and we found no clarity on any aspect."
The proposed CERT-Fin was announced as a way to help improve security in the financial sector, which has been hit by cyber thefts and attacks. But there has barely been any progress on these goals, Sivarama Krishnan, a cybersecurity leader at PwC India, says in a blog.
Given the government's mission to set a target of INR 2500 crores worth of digital transactions for FY 2017-18 through modes such as Unified Payment Interface, Unstructured Supplementary Service Data-USSD, Aadhaar Pay, IMPS and debit cards, CERT-Fin was expected to play a big role in securing transactions through stringent security controls.
Its implementation will require coordination from all stakeholders, including regulators and law enforcement, to ensure that cyber response works seamlessly. The finance minister had said that CERT-Fin would work in tandem with all the financial sector regulators, including RBI, SEBI, IRDA and other stakeholders. But so far, there appears to be little progress.
Before CERT-Fin can be launched, every bank needs to have a SOC or similar infrastructure to detect breaches and have a mechanism to report to the authority, says Inderjeet Singh, CIO of BCL Secure Premise, a security solutions company. "As long as such a mechanism doesn't exist, it makes little sense to build a CERT-Fin as at this point in time majority of the banks do not have the SoCs," he says. "Without a SOC, banks will not be able to assess or give reports of their threats to CERT-Fin."
Shashidhar contends that the formation of CERT-Fin would require banks to report all security incidents and have a legal framework in place, and he says most banks aren't ready.
Many banks and financial institutions absorb losses from security incidents and do not publicly share any of the related information. The formation of the CERT-Fin will require a fundamental change in mindset on the part of the management of the banks and financial institutions, some security practitioners say.
The formation of CERT-Fin would mean that not only banks but other financial institutions in the country would come under one umbrella to share threat intelligence reports.
Some security practitioners argue that India lacks the technical know-how needed to run CERT-Fin.
One CISO, requesting anonymity, says: "The Indian government has been in talks with companies in Israel to help them with technology that can bring together financial institutions and banks to exchange data and information sharing.
"Recently when the Israeli prime minister visited India along with his delegates, officials from government brought up the matter with them. Talks are on between the government and companies in Israel." The government will soon issue an RFP for the project, the CISO says.
"What is needed is a software application which is capable of assimilating and assessing information from various SOCs of banks and other institutions across the country and highlight it on a single platform from where CERT-Fin can collect inputs and share it according to priority," he says.
Shashidhar says that it makes sense to leverage technical know-how from Israel, where experts are "known for their skills in understanding and dealinging with the threats of the dark web. They are extremely skillful when it comes to culling out a particular information from the dark web."
Launching CERT-Fin will require finding leadership that can build deeper capabilities in cyber intelligence gathering and analysis and threat intelligence, the bank CISO says.
And Krishnan suggests the minister of finance should fine-tune plans for CERT-Fin to cover a larger canvas and provide seed funding.