How to make cyber security work in a digital economy

Internet governance architecture must be based on a multi-stakeholder model to ensure that cyber security programmes deliver

OUR security is as good as our weakest link. That statement sums up the entire dynamics of cyber security programmes. At a time when data breaches and cyber attacks are increasingly becoming common, it is natural to call for stringent cyber security measures. However, regulating the digital economy isn’t easy with digital services increasingly ignoring national borders.

At a recent knowledge exchange forum on ‘Combating Cyber Threats for a Safer Digital India’ organised by Microsoft and media partner Indian Express Group, several leading IT experts from the government as well as private sector acknowledged the security challenges thrown up by a digital economy. The event marked the inauguration of Microsoft’s first Cyber Security Engagement Centre in India.

In his inaugural address, Ravi Shankar Prasad, minister of law and justice, electronics and information technology, said safeguarding the sanctity and integrity of data is important to ensure that India plays a larger role in the world of data analysis. Decrypted data must not be revealed under any circumstances, he stressed. “The internet governance architecture must be a multi-stakeholder model, namely; the people, the civil society, the academia, the industry, etc.,” said Prasad.

Saying that the Microsoft management team has always emphasised on the sovereignty of data, Anant Maheshwari, president, Microsoft India shared a few industry data points: 160 million customer records are compromised on a regular basis, generally it takes 220-plus days to detect a cyber attack.

The panel discussion titled ‘Securing Digital India through a Public-Private Model’ moderated by the managing
editor of The Financial Express, Sunil Jain, saw leading IT security experts voicing their opinions. As Neeta Verma, director general, National Informatics Centre (NIC) said, there are two dimensions to the increasing instances of cyber attacks and how they can be prevented. “One, that it’s an ongoing challenge as we continue to defend ourselves. The other is that it is also significantly important that we should have the right kind of system and compliances in place. Applications have to be secured by design and there has to be secure coding,” she said.

Sumit Puri, CIO, Max Healthcare, said it is important to institutionalise all the processes at various levels. “We need to inform and educate various stakeholders in this exercise because we know that our security is as good as our weakest link,” he said.

On linking Aadhaar with IMEI (International Mobile Equipment Identity) number, BN Satpathy, senior consultant, NITI Aayog said that in a free economy it is difficult to link everything with Aadhaar. “You need investment in cyber security at every stage. There is nothing called perfect security.”

Answering a question on cyber security budgets, Sanjeev Gupta, general manager, Microsoft India said, “The entire space of IT spend should have a security aspect. One cannot earmark a separate budget for cyber security. However, overall IT spend should go up as cyber security is important at each and every stage.”

A second panel discussion saw Commodore A Anand, director, NCIIPC suggesting that there should be a nodal agency to which all cyber attacks should be reported immediately.

“We have the second largest database after Facebook and WhatsApp,” informed Davesh Singh, CISO, UIDAI.
On a foolproof strategy for cyber security, Manish Tiwari, national information security officer, Microsoft India explained that the most effective strategy is to assume that a breach has happened. “We have to get our architectural design right. Public-private-partnership (PPP) will create a trusted environment which will bring capability and capacity in the system.”

Vijay Devnath, CISO, CRIS stressed on the importance of proper security audits. “We have not been providing enough details as to how the audit is going to be done. Technical information through proper audits should be disseminated to CISOs at the earliest.”