Breach Notification , Incident & Breach Response , Information Sharing
The State of Information-SharingSecurity Leaders Embrace Concept, But Cite Challenges
In the wake of increased cyber-crime incidents and fraud worldwide, government and private-sector organizations are calling for formal information-sharing initiatives to help improve security defenses.
See Also: EMA Zero Trust Networking Research Summary
In February, U.S. President Barack Obama issued an executive order aimed at promoting private sector cybersecurity information-sharing.
And in March, the U.S. Financial Services Information Sharing and Analysis Center participated in a cybersecurity summit in Bengaluru, focused on the topic of growing information-sharing initiatives in India. At this event, Denise Anderson, vice president of government and cross-sector programs at FS-ISAC, spoke of India's challenge.
"While there is no regulated body or structured way of sharing cybersecurity information in India, I see bodies like CERT-In, IDRBT and practitioners from the banking sector forming an information sharing forum," Anderson said.
But how prepared are India's private- and public-sector entities to engage in formal information-sharing programs?
Many security leaders across India express the need for having a formal information sharing platform across sectors to enable security teams to prevent or defend cyber-attacks. Yet, at the same time, security heads are cautious about sharing information through informal channels, fearful that it might be misused.
"To make information sharing a reality," says Vinayak Godse, director of the Data Security Council of India, "security practitioners should first believe that it is a collective learning mechanism to understand an enterprise's security preparedness against cyber-attacks."
State of Information Sharing
Although many in India's security industry realize the importance of information-sharing and consider it vital in building a resilient infrastructure, some argue that there is no structured mechanism in the country, particularly in the financial sector.
In the light of increasing fraud incidents in the Indian financial, the Reserve Bank of India in 2012 recommended the formation of a dedicated cell akin to the FS-ISAC under the aegis of IDRBT for monitoring threats and for disseminating security information throughout the financial services community.
Per the guidelines, IDRBT has developed a Security Incident Tracking Platform where banks would be able to report security incidents in an anonymous manner. The platform will be hosted on the INFINET and the access provided only to chief information security officers of respective banks. IDRBT is simultaneously making arrangements to gather global threat intelligence from various sources in coordination with CERT-In.
Bengaluru-based K S Narayanan, CISO at ING Vysya bank, has been involved in these initiatives. But he says that information-sharing to this point has been restricted to banking and has not spread to other sectors.
Bengaluru-based Parag Deodhar, chief risk officer, chief information security officer and senior vice president-process excellence at Bharti AXA General Insurance Co Ltd., agrees with Narayanan.
"Banks seem to be quite advanced in sharing of information, while other financial services players like insurance, NBFCs (non-banking financial companies) do not have a formal information sharing platform, which is vital to share information against cyber-attacks," Deodhar says.
Godse of DSCI says that CERT-IN has been compiling information about cybersecurity threats and attacks in the country and strategizing around safeguarding national infrastructure against attacks, but to this point the organization lacks a formal mechanism to share this data with enterprises.
In her visit, Anderson echoed a similar sentiment: Information sharing groups have good intent to share information on a real-time basis, but India lacks formal structure to enable such exchange.
The challenge, most practitioners say, begins with the lack of formal channels, as well as a dearth of best-practices outlining specific policy guidelines and frameworks for information-sharing. How much information should be shared, and by whom? How will this information be used?
"Security managers are wary of sharing information through informal channels, as they are not sure of the individuals accessing these channels and the information could be exploited," says Deodhar.
The irony, some say, is that attackers are quite successfully forming groups and sharing information on finding newer ways to attack Indian organizations, yet security leaders have failed to overcome their own information-sharing challenges and are ill-prepared to defend the attacks or keeping themselves abreast of the threats.
The Role of PPP
Security leaders say that Prime Minister Modi's 'digital India' vision, which emphasizes the public-private partnership model, needs to be leveraged for information sharing.
In the U.S., Anderson says the FS-ISAC - considered to be perhaps the world's premier information-sharing entity - has built its collaborative model by engaging financial services providers, commercial security firms, federal, state and local government agencies, law enforcement and other trusted resources, to quickly disseminate physical and cyber-threat alerts to member organizations.
To leverage this model in India, Deodhar says that as long as non-disclosure agreements are signed with a formal platform in place, a public-private partnership model will be of immense help in sharing information and defending against threats.
However, the mandate should be to share key information that is both accurate and timely. "This information also needs to be interpreted and applied correctly by a central team to create actionable intelligence for the industry," says Deodhar.
And Narayanan says this information-sharing model must be built upon a central foundation to coordinate the efforts.
"Since multiple organizations are involved in the government for dissemination of information on the critical infrastructure protection methods and cybersecurity incidents," he says, "there needs to be a common platform and robust framework that acts like a co-ordinating body in sharing information with cross-sectors."