Pamela Warren, cybercrime strategist and director at McAfee
Sarthak Ray | June 13, 2011
India’s growing information technology (IT) infrastructure faces security threats in the form of virus attacks, forced crashing of systems and hacking. Last year, for example, the Stuxnet worm is known to have attacked utility companies in India, among other countries. Besides that, the computer systems of the ministry of external affairs and a few defence establishments also came under attack. Samir Sachdeva spoke to Pamela Warren, cybercrime strategist and director of global public sector and critical infrastructure initiatives at McAfee, a leading internet security agency, about these perceived threats and possible solutions. Edited excerpts:
What are the major cyber threats that India faces, according to your recently released report on global critical infrastructure?
Last year, many companies faced destruction of data or disruption of services and such attacks have increased this year. The security infrastructure has however not necessarily grown accordingly. In India, several companies have suffered from disruption of services and data theft and there is a growing concern over security preparedness both at the level of the companies and the government. Interestingly, while many companies believe that the government may not be prepared they are still hopeful that the national IT policy might still help mitigate these issues. In fact, there is a worldwide belief that regulation will somehow solve it all. But the flip side is that when there is too much focus on regulation and compliance with the checklist designed for it the focus may shift from securing the network. On the other hand, when the executives request for more security budget and head count, because they have to deal with some of these security issues that had been ignored before regulation was put in play, they can certainly get the budgets they have been requesting because all of a sudden it becomes the highest priority to comply.
How do you define critical infrastructure with respect to the government?
It is a challenge for the government because it needs a number of resources in order to try to mitigate risks, particularly here in India because so many of these responsibilities fall on the government. The other challenge that the government faces is to have in-house cyber security talent so that it does not have to depend on outsourcing all the time. So, there are issues of manpower as well as cost. This is not just in India; governments around the world are facing these challenges.
How vulnerable is our critical infrastructure, such as power grid or air traffic control?
There are three main threats: sabotage, exfiltration of data or data theft and extortion. In case of sabotage, of air traffic control or power grid, it’s very clear that we are going to lose power in certain segments of the grid. Obviously, any such sabotage will be a big blow to the government which will be forced to either pay off the demands or deal it with otherwise. Exfiltration of data is even harder to deal with. It is important how the stolen information is going to be used. Exfiltration of data can have an impact on the business along with the government. The information on what decisions have been made can give competitive advantage to those who procure it by stealing. I think exfiltration of date is the scariest threat to deal with because you don’t know what the outcome is going to be. And you certainly don’t know in many cases or have knowledge of when this malware is being planted to do the exfiltration, how long it has been there, what information has it now stolen and exfiltrated out of the government network.
Are these cyber threats most likely to emerge from China and Pakistan?
From a vendor’s point of view, it’s very difficult to pin the blame without additional inside information. When it comes to economic advantage, it can almost be any country. I would like to say that we as nations don’t take care of all our vulnerabilities. Our cyber security preparedness is like keeping the front door open for robbery. So can we really blame that other country? Or do we need to look back at ourselves in terms of protecting ourselves. Am I doing everything to protect that data, or am I going to blame the other guy for stealing it because I did not appropriately protect it?
What appears to be the purpose of these threats – spying, derailment of infrastructure or something else?
Without knowing the specific details of the attack, it is difficult to tell. The Stuxnet attack, for example, could have been a case of sabotage in this country. I think the broader thing is use of it as a wakeup call before it does bring down the entire grid, or it does bring down the IT infrastructure of the government. The Stuxnet could have created much more damage to us around the world than it did.
Is the Indian IT Act enough to deal with cybercrime? Shouldn’t we have a global mechanism when we know cybercrimes happen across borders?
One of the things that the global fraternity has been talking about is how much do we outsource to the countries which lack cyber security laws. And I think countries around the world need to be cognizant of that reality. As the number of data breaches increase around the world regardless of the location, there will likely be more and more attention on the data protection legislations. The European Union has very stringent data protection laws. Australia is considering this for some time. The US has an approach that differs from state to state and now it is looking at the federal level too. Canada is very stringent as well, just like the EU, and so the question is whether we should send data to a country that doesn’t have privacy laws. I think that would be a challenge. I think countries will be very concerned about it and will demand protection for the data and that’s again presuming that data is what’s being outsourced and not other types of services that don’t bring as much risk.
Home minister Amit Shah’s remark on the need for a single national language has rightly sparked a debate, but the headlines missed much in his speech about language, culture, and identity. Giving away Rajbhasha Gaurav Puraskar and Rajbhasha Kirti Puraskar awards on the occasion of Hin
Renowned British singer, songwriter and reggae DJ, Apache Indian (originally known as Steven Kapoor) shot to fame with his style of music which came to be known as bhangramuffin (also called bhangragga) – a mix of bhangra, reggaemuffin and traditional dance hall in the early 1990s. His style changed
When close to five lakh people are killed in road accidents every year in India, road transport minister Nitin Gadkari should have been complimented on his not-so-populist move to impose higher fines for traffic violations. Instead, many people are unhappy and several states – mostly ruled by the BJP
Traditional fishermen or Kolis; synonymous with feasting, song and dance; are the original inhabitants of Mumbai. For generations, they have loved their vocation and prided in it. But their work and lifestyle are facing threats from reclamation, land acquisition by builders, lack of sustainable fishing pra
Addressing the Conference of Parties (COP14) to the United Nations Convention to Combat Desertification (UNCCD), Prime Minister Narendra Modi on Monday announced that India would raise its target of the total area that would be restored from its land degradation status from 21 million hectares to 26 millio