“Our cyber security is like keeping the front door open for robbery”

Pamela Warren, cybercrime strategist and director at McAfee

sarthak

Sarthak Ray | June 13, 2011


Pamela Warren
Pamela Warren

India’s growing information technology (IT) infrastructure faces security threats in the form of virus attacks, forced crashing of systems and hacking. Last year, for example, the Stuxnet worm is known to have attacked utility companies in India, among other countries. Besides that, the computer systems of the ministry of external affairs and a few defence establishments also came under attack. Samir Sachdeva spoke to Pamela Warren, cybercrime strategist and director of global public sector and critical infrastructure initiatives at McAfee, a leading internet security agency, about these perceived threats and possible solutions. Edited excerpts:

What are the major cyber threats that India faces, according to your recently released report on global critical infrastructure?
Last year, many companies faced destruction of data or disruption of services and such attacks have increased this year. The security infrastructure has however not necessarily grown accordingly. In India, several companies have suffered from disruption of services and data theft and there is a growing concern over security preparedness both at the level of the companies and the government. Interestingly, while many companies believe that the government may not be prepared they are still hopeful that the national IT policy might still help mitigate these issues. In fact, there is a worldwide belief that regulation will somehow solve it all. But the flip side is that when there is too much focus on regulation and compliance with the checklist designed for it the focus may shift from securing the network. On the other hand, when the executives request for more security budget and head count, because they have to deal with some of these security issues that had been ignored before regulation was put in play, they can certainly get the budgets they have been requesting because all of a sudden it becomes the highest priority to comply.

How do you define critical infrastructure with respect to the government?
It is a challenge for the government because it needs a number of resources in order to try to mitigate risks, particularly here in India because so many of these responsibilities fall on the government. The other challenge that the government faces is to have in-house cyber security talent so that it does not have to depend on outsourcing all the time. So, there are issues of manpower as well as cost. This is not just in India; governments around the world are facing these challenges.

How vulnerable is our critical infrastructure, such as power grid or air traffic control?
There are three main threats: sabotage, exfiltration of data or data theft and extortion. In case of sabotage, of air traffic control or power grid, it’s very clear that we are going to lose power in certain segments of the grid. Obviously, any such sabotage will be a big blow to the government which will be forced to either pay off the demands or deal it with otherwise. Exfiltration of data is even harder to deal with. It is important how the stolen information is going to be used. Exfiltration of data can have an impact on the business along with the government. The information on what decisions have been made can give competitive advantage to those who procure it by stealing. I think exfiltration of date is the scariest threat to deal with because you don’t know what the outcome is going to be. And you certainly don’t know in many cases or have knowledge of when this malware is being planted to do the exfiltration, how long it has been there, what information has it now stolen and exfiltrated out of the government network.

Are these cyber threats most likely to emerge from China and Pakistan?
From a vendor’s point of view, it’s very difficult to pin the blame without additional inside information. When it comes to economic advantage, it can almost be any country. I would like to say that we as nations don’t take care of all our vulnerabilities. Our cyber security preparedness is like keeping the front door open for robbery. So can we really blame that other country? Or do we need to look back at ourselves in terms of protecting ourselves. Am I doing everything to protect that data, or am I going to blame the other guy for stealing it because I did not appropriately protect it?

What appears to be the purpose of these threats – spying, derailment of infrastructure or something else?
Without knowing the specific details of the attack, it is difficult to tell. The Stuxnet attack, for example, could have been a case of sabotage in this country. I think the broader thing is use of it as a wakeup call before it does bring down the entire grid, or it does bring down the IT infrastructure of the government. The Stuxnet could have created much more damage to us around the world than it did.

Is the Indian IT Act enough to deal with cybercrime? Shouldn’t we have a global mechanism when we know cybercrimes happen across borders?
One of the things that the global fraternity has been talking about is how much do we outsource to the countries which lack cyber security laws. And I think countries around the world need to be cognizant of that reality. As the number of data breaches increase around the world regardless of the location, there will likely be more and more attention on the data protection legislations. The European Union has very stringent data protection laws. Australia is considering this for some time. The US has an approach that differs from state to state and now it is looking at the federal level too. Canada is very stringent as well, just like the EU, and so the question is whether we should send data to a country that doesn’t have privacy laws. I think that would be a challenge. I think countries will be very concerned about it and will demand protection for the data and that’s again presuming that data is what’s being outsourced and not other types of services that don’t bring as much risk.
 

Comments

 

Other News

Centre intensifies preparedness as El Niño threat looms

Amid uncertainty in the southwest monsoon due to the potential impact of El Niño, the government is addressing the situation with comprehensive preparedness, a clear strategy, and strong ground-level action. While challenges remain, the entire system has been activated in advance and is working proa

India is crossing a climate threshold

On June 28, Delhi recorded a maximum temperature of 41.3°C, four degrees above the seasonal normal. But the “feels like” temperature, which factors in humidity, showed more than 51°C. What the body experienced was very different from what the thermometer recorded.  India`

The Geography of India’s inflation

India today finds itself in an unusual position. At a time when geopolitical conflicts, trade fragmentation, and supply-chain disruptions are reshaping the global economy, the country`s macroeconomic fundamentals remain relatively upwards. Growth remains among the highest in the world, inflation has larg

How to listen to the great storytellers that the trees are

The Trees of My Country: A Natural History of India in 50 Trees By T. R. Shankar Raman, with illustrations by Manali Patil Aleph Book Company, 284 pages, Rs 1,499  

This tree in Bihar turns out to be the oldest accurately dated banyan

A banyan tree in Munger, Bihar, estimated to be around 700 years old, has been identified as the oldest accurately dated banyan tree, Ficus benghalensis, using radiocarbon dating, a method that relies exclusively on scientific evidence rather than historical records or local lore. Banyan

Corporate Governance 3.0: What the boardroom of 2030 will look like

The phrase "corporate governance" often evokes images of board meetings, compliance checklists, and regulatory filings. For years, governance was viewed primarily as a mechanism to prevent fraud, protect minority shareholders, and ensure regulatory compliance. However, the events of the last deca





Archives

Current Issue

Opinion

Facebook Twitter Google Plus Linkedin Subscribe Newsletter

Twitter