This is the second report on the discussions and talks at the NCIIPC Foundation Day in New Delhi on 16th January 2017. The first part covers the talk given by the Deputy NSA and can be accessed here.
In this report we shall be covering the talks given by Dr Gulshan Rai, National Cyber Security Coordinator (NCSC) and Dr Sanjay Bahl, Director General, CERT-IN but have to say (regretfully) at the outset that the agenda was kept within the boundaries of standard disclosures! However there were a few unknowns which crept into the talks and I these are highlighted.
Dr. Rai opined that by 2020 we will see destructive attacks which will be much more dangerous than the DDOS and Disruptive Attacks which we see today. Quoting a report by Microsoft, he shared that the nature of attacks in India are more spam, RDP, malicious IPs and that NCIIPC is sharing a list daily. He also shared that data was taken away in the credit card hack in October.
IW View: This is something RBI and others have not said. They only told the country that about 681 cards were compromised and Rs 1.3 cr lost after which they went about replacing 3.2 million cards!
He shared 11 important cyber security trends, viz. expanding government roles, growth in cyber offense activity, adaptive tactics of attackers, complexity of cyber attacks, need for deeper analysis, intersection of life safety and cyber security, rise in litigation, reality realization of security costs, . increased expectations, undermining trust and security. Today we face many challenges and the main ones are death of the password, data is omnipresent, identity based access, biometrics, integration of multiple technologies, malware.
Mentioning one area of grave concern – patching – and he called up on the industry to come up with a trusted platform to test and distribute patches. This is a systemic issue and many vulnerabilities are old; an example being the ATM machines which are still running Windows XP.
India is a major source of botnets, and users also demonstrate poor hygiene leading to mobile compromise. He is as scared as any thinking about the impact when BHIM touches core banking systems.
IW View: But the makers and testers of BHIM are not scared of anyone or anything – they are invincible!
A call was made for NCIIPC and the Critical Infrastructure sector to agree upon a threat intelligence sharing system and enable 2-way TTI sharing, training and research. There is also the need to develop a trust system by setting up root level authentication. He shared that at present 250 organizations have been joined in as Critical and are getting the benefit of NCIIPC oversight.
IW View: The last one I don’t understand what he was trying to say and I daresay anyone in the audience understood too!
Besides, there is something wrong here – Dr Rai says 250 and then later in the day, during a panel discussion we were told that only 2 organizations have been notified as Critical (this has to be done through a formal gazette notification)
IW Comment: We are perplexed at the perpetual tryst with the elusive information sharing platform – every senior government and non-government official talks about Information Sharing but nothing is really done about it. You may check some history on Information Sharing initiatives here ARTICLE ON INFORMATION SHARING and it may be noted that this is being talked about very “seriously” since 2006…….. and I have been saying (since then) that nothing is going to happen and this is just hot air (of the smelly type)!
It would have been nice to know hard facts about the progress of the IC4 and NC3 (BTW are they the same organization!) as well as the plans of the various Cyber Security organizations to mesh together in creating a reliable and resilient ecosystem. While agreeing that the conference was about NCIIPC, we do believe that somewhere every cyber event will have a touch point with critical infrastructure.
Dr Bahl shared statistics about CERT activity in handling security incidents and providing guidance to stakeholders, plus more. One notable point was that 90% incidents are phishing and others make up the balance 10%. That less cash and digital payments is going to bring risk and that targeted attacks will become more mature. Cyber attacks will expand and the next area will be the supply chain. He also shared that CERT-In has put out full page advertisements (dunno where) asking organizations to report cyber incidents without delay. In keeping with the Swach Bharat Abhiyaan they are starting a “Cyber Swachta Kendra” to bring about a swach cyber system in the country.
IW Comment: Statistics from all government departments are usually at loggerheads with each other so I generally go into a limbo when someone talks numbers. What numbers (incidents) does CERT track, what does NCIIPC track and what does NCRB track … finally what is reported by the concerned Minister to the Parliament, and which number(s) form the basis for the creating policies etc. While the Cyber Swachta Kendra is a good thought, isn’t it the Hindi translation of CERT! Besides, I must also highlight that this bot cleaning stuff was also proposed in 2006… and all that happened is that some people had some free trips, cocktails and dinners.
He did not talk about the empanelment process or the need to bring penalties into the system which is black hole area.
IndiaWatch wishes them well (Dr Rai and Dr Bahl) and hopes that they consider our suggestion of having public meetings with the Information Security professionals across the country. There is a big disconnect in perceptions and expectations at both ends and just getting a clutch of big names and big companies to discuss is really not sufficient.