Ibelieve India's future is digital. Indeed, mankind's future is digital. I envisage a new India in the nottoo-distant future, where almost everything we do is digitally transformed…I see a new India which will use digital currency instead of paper money, for a more secure and convenient way to transact.
— Chairman Mukesh Ambani at Reliance Industries' 39th annual general meeting in June 2013 After building world-class capacities in petrochemicals and petroleum refining, and working towards creating similar size and scale in organised retail and digital telecom services, where does a 3.7-lakh-crore conglomerate look next for growth — growth that fits in with India's largest private sector corporation's four decades' old obsession with all things large and scalable?
The opportunities for such growth for Mukesh Ambani, the 56-year-old chairman of Reliance Industries Ltd (RIL), are many. Just one of them: a billion-dollar game plan for aerospace and homeland security, headed by Vivek Lall, the former Boeing head honcho.
Lall may find himself once again burning midnight oil — along with Ambani and his core team — over yet another new venture, one that dovetails swimmingly well with homeland security and RIL's strategy to deliver digital content, applications and services through a pan-India broadband network.
Cyber security is the newest blueprint on Ambani's drawing board. And it is still getting its finishing touches. "After all the RIL chairman knows only too well the Chinese proverb that a journey of a thousand miles starts with a single step," says a person close to the matter who vouches for the fact that RIL is pursuing opportunities in the cyber security sector, both at home and abroad. "This is yet another single step for him," says this person who emphasises that the billionaire had helped the company his father Dhirubhai built take many such "baby" steps before making giant strides in oil and gas exploration and production, refining and marketing, petrochemicals, retail and telecommunications.
Ambani's reasoning for entering cyber security is as simple as simple can get, argues this person who didn't wish to be named. As a company which is among the most vulnerable ones in India to cyber attacks thanks to the nature of businesses it is in, RIL will continue to aggressively build a cyber security network to protect its own assets and will then look for selling those security solutions in the market. RIL, the operator of the world's biggest oil refinery complex at Jamnagar in Gujarat, may launch a "cyber vertical" for this purpose, the person adds without giving details of what he calls Ambani's "ambitious new" plan. "All I can say is he has a vision in this segment and at a time when businesses are increasingly getting connected to the internet and in the process confronting challenges to secure their networks, it makes perfect business sense to be there," he notes. An RIL spokesperson declined to comment on specifics of the cyber-security plan.
Critical Reasoning
Sunjoy Joshi, director of think-tank Observer Research Foundation, which is organising a major cyber security conference in Delhi next week, reckons that it is only a matter of time before the private sector takes a lead role in developing solutions to safeguard critical infrastructure and all types of businesses. Big companies such as RIL, Tata and Bharti will naturally explore possibilities in the area, he posits. "Smaller players too will join the race…the government can't manage things on its own. It will have to not only enlist the private sector but go beyond — by taking support from other organisations and individuals to rev up the country's cyber security prowess."
According to Rakshit Tandon, consultant, Internet and Mobile Association of India, companies such as RIL, Tata and Bharti, "as prime service providers to the cyber and IT infrastructure space, will surely play a vital role in sharing their learning and vulnerabilities, which will help India's cyber-security framework become stronger". In fact, most of these companies need to keep safe their critical assets as they expand operations. For instance, RIL, which currently imports 300,000 barrels per day (bpd) of oil from Venezuela for processing at its twin refineries in Jamnagar, wants to increase these volumes shortly, possibly to 400,000 bpd, according to news reports.
Subramanian Ramadorai, a former CEO of TCS and now chairman of the National Skill Development Agency (NSDA), points out that many private companies in India have considerable experience in cyber security. "The offshoring model has now matured significantly with several top-of-the-line security controls and processes. Private companies have a lot to share in terms of experience and in capacity building of relevant skills." Ramadorai adds that Indian industry as an initiative has set up a not-for-profit company called DSCI to develop best practices in cyber security and "leverage the experience in private sector in the country for government purposes" (see Hire Ethical Hackers...).
At the Vanguard
RIL had, in early 2011, set up its homeland security and aerospace businesses by roping in then Boeing India chief Lall (when asked, Lall declined to comment on the specifics). As head of Reliance's homeland security venture — which again has its genesis in the necessity to secure its own assets — Lall, 44, is seen as the natural choice to head the cyber security vertical once it is launched. Lall, a former Nasa scientist who had earlier worked in global firms such as Raytheon, refused to comment on any such possibility either.
Lall is currently member of a joint working group ( JWG) set up by the government of India to explore ways to build India's cyber-security backbone. His JWG membership confirms the government's willingness to tap the potential of private players, says a home ministry official. After all, the situation is grave, admits this official who asked not to be named.
Cyber security, a relatively nascent industry in India, has not kept pace with the growth of information technology in a country of 1.2 billion. According to Nasscom, the local IT industry touched $100 billion in revenues last year. "Cyber security in India is in a pitiable state," says the home ministry official.
Of course, he is on the ball because cyber crime was categorised as a punishable offence only as late as 2008 when the government came up with the IT Act 2008. This, at a time when the country's official data is getting increasingly stored online. Hostile neighbours and wily groups of global and local extremists are bracing themselves in no-holds-barred cyber warfare — not only China but Uncle Sam is also snooping on local official information and spying on core assets.
According to another home ministry official, the most frequently attacked networks include the Prime Minister's Office and the Ministry of External Affairs. Though DRDO comes on this list of targets, the nodal defence research agency keeps issuing statements denying any attack on their networks. The number of cyber security attacks on India rose to 22,060 in 2012 from 23 in 2004, according to government data.
The country is also facing a huge shortage of cyber-security professionals: it requires 5 lakh such people, but has only 556 in comparison with 125,000 in China, 91,080 in the US and 7,300 in Russia, according to official data.
In those numbers lies a clear business opportunity in cyber security. According to PricewaterhouseCoopers, India's digital information security market is expected to grow 18% a year as the country moves beyond mere installation of firewalls and anti-virus software. Interestingly, a huge number of companies have a newer set of CXOs — chief security officers (CSOs) — on their payroll.
Unsurprisingly, companies such are RIL would like to be at the forefront of the publicprivate partnership the Centre has envisaged to combat cyber crimes unleashed on the country. The government's new cyber security plan — cleared by the Cabinet a few months ago — looks at bringing together organisations such as NTRO, defence and home ministries, CERTIn and so on to work towards a common cause.
The Central Initiative
The cyber security JWG formed under the national security adviser (NSA) has recommended the creation of a permanent JWG under the National Security Council Secretariat (NSCS) — which falls under the National Security Council headed by the prime minister – with representatives from the government and the private sector. This permanent JWG is meant to act as an advisory body and coordinate public-private partnerships (PPPs).
The mandate for private-sector companies would be to set up cyber security mechanisms across segments they are present in and then to share their learning with the NSCS. According to official reports, some of the NSA's recommendations include the government and private sector jointly training almost five lakh cybersecurity professionals in five years. The government — which, according to at least three defence officials, is covertly recruiting young hackers to man its cyber-offensive units as part of efforts to take on the Chinese and American onslaught — is also keen that local companies develop indigenous defensive software because they feel foreign-origin software is compromised. The JWG also envisages the creation of testing and certification centres and pilot projects for conducting test audit on IT products. Officials are also deeply concerned that India is among the top five countries whose data has been compromised for years by the American NSA surveillance system.
Changing Times
Senior IPS officer Muktesh Chander, former director of National Critical Information Infrastructure Protection Centre (NCIIPC), says he is no admirer of the idea of critical infrastructure protection being handed over "indiscriminately" to the private sector. He sees dangers in such decisions.
However, Chander, an electronics engineer by training, says he would be glad to see Indian companies come up with path-breaking solutions and products such as routers (to lower reliance on US networking giant Cisco), or develop an encryption algorithm (which converts electronic data into a meaningless form that cannot be read or understood; it is reconverted with a user's password), chips and so on to ensure much lower reliance on overseas companies. Chips made abroad can be used by countries from where they are made to snoop on India, if they want to, notes Chander, who had earlier worked with Bharat Heavy Engineering Limited as a quality-control engineer.
Chander sees more private-sector companies managing critical infrastructure because more such companies are entering into the area which was once a preserve of the government. "Certainly there is a lot of scope for companies such as Bharti and RIL to tap the opportunity. Some solutions can only be developed by companies deeply involved in specific businesses. Their knowledge in enhancing cyber security is very valuable," says this tech-savvy officer who is currently joint commissioner, Prime Minister's security. He is now pursuing a PhD in cyber security from IIT Delhi. Chander only hopes that such efforts to buttress India's cyber security prowess don't go the way of the country's semi-conductor manufacturing initiative (which, he says, has reached nowhere) and the nuclear programme, which, he says, has gone astray. He suggests that private players work towards building new supervisory control and data acquisition (SCADA) industrial control systems, which are PC-controlled systems that monitor and control industrial processes.
Eavesdropping Inc
Bruce Schneier, a renowned American cryptographer and computer security expert, echoes Chander's worries. However, he feels the problem is not imported semiconductor chips, but finished network hardware. "If you buy your network hardware from another country, like the US or China, then you are potentially vulnerable to whatever eavesdropping capabilities those countries might have built into the equipment." He also says that since most of the internet is controlled by the private sector, protecting it requires the cooperation of the private sector whether it has begun late or not. The government simply can't do it alone, he insists.
All this is why a senior domestic IT company official feels that Ambani clearly has his ear to the ground. "The opportunity in cyber security is certainly going to be huge," he says, asking not to be identified because he doesn't want to be seen as "complimenting someone before
the success of a venture". He adds: "It
is a multi-pronged approach, for sure. Support the government, protect your own assets and sell solutions to others."
Politically Driven Issues
There are internecine wranglings of sorts between various official agencies (see The Current Scenario) that hurt a coordinated approach in cyber security. A defence ministry official spoke on condition of anonymity that "nonappointment" of CERT-In chief Gulshan Rai as the first National Cyber Security Coordinator (NCSC), a job that entails him to coordinate among various agencies involved in cyber security, is thanks to such "an atmosphere of mild friction" among these departments. While Rai refused to comment, a former NTRO official confirmed that "for sure, there is a turf war".
Notwithstanding such hiccups, private-sector players are expected to forge ahead with their plans — creating PPPs, developing security solutions and finally selling them — says Chander, who doesn't see "any turf war" derailing the government's moves to strengthen coordination among various agencies handling cyber security.
Admittedly, there are hurdles. The major challenges for entrepreneurs such as Ambani and government agencies themselves include the absence of a data privacy law. Nor do we have an Indian version of the anti-terror Patriot Act (that can be invoked in the time of a major cyber attack). India isn't a signatory to the Budapest Convention either — this first-of-its kind global treaty that aims to fight cyber crime through a general set of laws, enhancing inter-country cooperation and stepping up probes in such crimes. The absence of all these makes it difficult to put in place a cyber-security mechanism, concedes Schneier who has watched the global scenario for long. "It's difficult, of course, but if India wanted to make cyber security a priority, then it would be a priority," he declares.
Scope for Hope
US-based cyber security expert Bruce Niswander says, in India, the stress must be on delivering commercial solutions that help other developing countries confront and resolve the same problems that India must deal with in its domestic markets. "Creativity and innovation must become a national obsession. This, in turn, will lead to an explosion in global commercial contracts and deals," he adds. Niswander also favours hiring ethical hackers to step up offensive capabilities. "It will be really helpful and is also important to recruit young talent and create a Young Indian cyber army. From my experience of creating awareness on safe [internet] surfing with more than 6.5 lakh students, we have found that lots of young enthusiasts, who claim to be ethical hackers, get monetary benefits from international sites. We should be able to replicate it in India, just to encourage them. First, we need to create a pool of these young ethical hackers and train them in the right direction. The government should recruit them or encourage them so that they can work for the nation."
Ambani, known to revel in scalable business opportunities, has already taken the cue.
•
RIL's
Cyber
Security
Push
RIL, which is setting up cyber-security infrastructure to safeguard its own businesses, will share its learnings with the government
Ambani's immediate plan is to develop security solutions for captive use at its businesses that include oil & gas exploration & production, petrochemicals, retail and telecom
The 56-year-old billionaire's long-term plan is to hit pay dirt by selling such security solutions both at home and abroad
RIL is likely to float a vertical in cyber security for this purpose
The Current
Scenario
KEY GOVERNMENT AGENCIES IN CYBER OFFENCE:National Technical Research Organisation (under control of RAW) and Department Intelligence Agency
AGENCIES FOCUSED ON CYBER DEFENCE:Indian Computer Emergency Response Team (CERT-In); set up in 2004 as a unit of Department of Information Technology, it protects non-critical assets. CERT-In is national nodal agency on computer security incidents.
National Critical Information Infrastructure Protection Centre: Carved out of CERT-In in 2012 to protect assets in critical sectors such as energy, transport, banking, telecom, defence and space
Scenario
KEY GOVERNMENT AGENCIES IN CYBER OFFENCE:National Technical Research Organisation (under control of RAW) and Department Intelligence Agency
AGENCIES FOCUSED ON CYBER DEFENCE:Indian Computer Emergency Response Team (CERT-In); set up in 2004 as a unit of Department of Information Technology, it protects non-critical assets. CERT-In is national nodal agency on computer security incidents.
National Critical Information Infrastructure Protection Centre: Carved out of CERT-In in 2012 to protect assets in critical sectors such as energy, transport, banking, telecom, defence and space
RIL set up its security arm under Vivek Lall (left) primarily to meet captive needs. The cyber security vertical too will protect own assets and then sell solutions
Government in
Cyber-Defence Mode
A pilot joint working group (JWG) under national security adviser has proposed creation of a permanent JWG under National Security Council Secretariat (NSCS) — which falls under the National Security Council headed by the PM
The permanent JWG will act as an advisory body & coordinate public-private partnerships
Companies like RIL are at the forefront — its defence and aerospace wing chief Vivek Lall is a
member of the JWG
JWG also suggests setting up of a
joint committee on international cooperation and advocacy
The mandate of private-sector companies would be to set cyber security mechanisms and share their learnings with the NSCS as well as others in the sector to protect Indian companies from cyber attacks
The JWG also envisages creation of testing & certification centres and pilot projects for conducting test audit on IT products
Cyber-Defence Mode
A pilot joint working group (JWG) under national security adviser has proposed creation of a permanent JWG under National Security Council Secretariat (NSCS) — which falls under the National Security Council headed by the PM
The permanent JWG will act as an advisory body & coordinate public-private partnerships
Companies like RIL are at the forefront — its defence and aerospace wing chief Vivek Lall is a
member of the JWG
JWG also suggests setting up of a
joint committee on international cooperation and advocacy
The mandate of private-sector companies would be to set cyber security mechanisms and share their learnings with the NSCS as well as others in the sector to protect Indian companies from cyber attacks
The JWG also envisages creation of testing & certification centres and pilot projects for conducting test audit on IT products
Most of the internet is controlled by the private sector. Protecting it requires the cooperation of the private sector. The government simply can't do it alone"
Bruce Schneier,
US-based cryptographer, computer
security specialist and writer
Bruce Schneier,
US-based cryptographer, computer
security specialist and writer
Opportunity
Beckons
According to a consultancy, India's cyber security market is expected to grow at 18% per annum
Currently, the size of the cyber security industry in India is close to 1,415 cr
Cyber security attacks on India rose to 22,060 in 2012 from 23 in 2004
Thanks to increased spending by companies to secure their information assets, cyber security spending globally would continue on an upward trajectory, reaching $86 billion in 2016, up from $60 billion in 2012
Beckons
According to a consultancy, India's cyber security market is expected to grow at 18% per annum
Currently, the size of the cyber security industry in India is close to 1,415 cr
Cyber security attacks on India rose to 22,060 in 2012 from 23 in 2004
Thanks to increased spending by companies to secure their information assets, cyber security spending globally would continue on an upward trajectory, reaching $86 billion in 2016, up from $60 billion in 2012
Hire Ethical Hackers, Treat Them Like Special Forces"
S Ramadorai, vice-chairman of TCS and chairman of
the National Skill Development Agency, says the private sector must play a crucial role in enhancing cybersecurity capabilities. The IT veteran calls for hiring and training young, talented people to handle cyber attack units. Edited excerpts from an interview with Ullekh NP:
On the importance of companies like RIL sharing their learning from building cyber security capabilities with the government
Private companies have a lot to share in terms of experience and in capacity building of relevant skills. The private sector has indigenised various security-related technologies and supported in building the security infrastructure of the country. Many private companies have considerable experience in cyber security. The offshoring model has matured significantly with several top-of-the-line security controls and processes.
On enhancing cyber security in the face of attacks from various corners, especially from China and even from the US
The country does require a skilled cyber-security labour force. Most countries, notably China, have started grassroots campaigns to identify technically gifted youngsters and recruit them for defending the nation. In India, too, these initiatives have been started by various agencies. However, much more needs to be done. The talent is available.
We must also focus on rapid detection, containment and reaction. One statistic shows that attackers remain undetected on a network on average for 416 days! The amount of damage that can be done in this time is huge. Offensive security testing (known as penetration testing) is a wonderful way to audit the security of networks. Some companies such as Facebook, Twitter and so on run what are known as "bug-bounty programs" where any hacker is invited to find vulnerabilities in their systems (without causing damage). On disclosing the flaw, they can be paid to the tune of $10,000. This is a great way to identify talent. Ultimately, it is more important to have a pool of extremely high-quality talent rather than just large numbers. A sophisticated team of even 50 top hackers is far better than 1,000 average/semi-skilled professionals. We must treat these teams like special forces.
On how crucial cyber security is in a war scenario
Offensive cyber-security capabilities are of great importance, as they will be the fourth branch of the defence forces. No war will be fought without taking recourse to these capabilities for intelligence and disruption prior to putting boots on the ground, ships to sea or planes in the air. The power of an offensive cyber capability cannot be underestimated, as shown by the Stuxnet virus used against Iran, and various other cyberweapons that have recently been seen such as Flame, Gauss, Wiper, Duqu, etc. Defensive capabilities in India need to be bolstered significantly. Most government IT infrastructure is vulnerable to attacks. Besides, most government officials are in no position to handle threats such as spear-phishing (e-mail spoofing fraud) or social-engineering attacks, which target them as a means of entry into the government networks.
S Ramadorai, vice-chairman of TCS and chairman of
the National Skill Development Agency, says the private sector must play a crucial role in enhancing cybersecurity capabilities. The IT veteran calls for hiring and training young, talented people to handle cyber attack units. Edited excerpts from an interview with Ullekh NP:
On the importance of companies like RIL sharing their learning from building cyber security capabilities with the government
Private companies have a lot to share in terms of experience and in capacity building of relevant skills. The private sector has indigenised various security-related technologies and supported in building the security infrastructure of the country. Many private companies have considerable experience in cyber security. The offshoring model has matured significantly with several top-of-the-line security controls and processes.
On enhancing cyber security in the face of attacks from various corners, especially from China and even from the US
The country does require a skilled cyber-security labour force. Most countries, notably China, have started grassroots campaigns to identify technically gifted youngsters and recruit them for defending the nation. In India, too, these initiatives have been started by various agencies. However, much more needs to be done. The talent is available.
We must also focus on rapid detection, containment and reaction. One statistic shows that attackers remain undetected on a network on average for 416 days! The amount of damage that can be done in this time is huge. Offensive security testing (known as penetration testing) is a wonderful way to audit the security of networks. Some companies such as Facebook, Twitter and so on run what are known as "bug-bounty programs" where any hacker is invited to find vulnerabilities in their systems (without causing damage). On disclosing the flaw, they can be paid to the tune of $10,000. This is a great way to identify talent. Ultimately, it is more important to have a pool of extremely high-quality talent rather than just large numbers. A sophisticated team of even 50 top hackers is far better than 1,000 average/semi-skilled professionals. We must treat these teams like special forces.
On how crucial cyber security is in a war scenario
Offensive cyber-security capabilities are of great importance, as they will be the fourth branch of the defence forces. No war will be fought without taking recourse to these capabilities for intelligence and disruption prior to putting boots on the ground, ships to sea or planes in the air. The power of an offensive cyber capability cannot be underestimated, as shown by the Stuxnet virus used against Iran, and various other cyberweapons that have recently been seen such as Flame, Gauss, Wiper, Duqu, etc. Defensive capabilities in India need to be bolstered significantly. Most government IT infrastructure is vulnerable to attacks. Besides, most government officials are in no position to handle threats such as spear-phishing (e-mail spoofing fraud) or social-engineering attacks, which target them as a means of entry into the government networks.
0 comments:
Post a Comment