Governance Now

“Our cyber security is like keeping the front door open for robbery”

Pamela Warren, cybercrime strategist and director at McAfee

sarthak

Sarthak Ray | June 13, 2011


Pamela Warren
Pamela Warren

India’s growing information technology (IT) infrastructure faces security threats in the form of virus attacks, forced crashing of systems and hacking. Last year, for example, the Stuxnet worm is known to have attacked utility companies in India, among other countries. Besides that, the computer systems of the ministry of external affairs and a few defence establishments also came under attack. Samir Sachdeva spoke to Pamela Warren, cybercrime strategist and director of global public sector and critical infrastructure initiatives at McAfee, a leading internet security agency, about these perceived threats and possible solutions. Edited excerpts:

What are the major cyber threats that India faces, according to your recently released report on global critical infrastructure?
Last year, many companies faced destruction of data or disruption of services and such attacks have increased this year. The security infrastructure has however not necessarily grown accordingly. In India, several companies have suffered from disruption of services and data theft and there is a growing concern over security preparedness both at the level of the companies and the government. Interestingly, while many companies believe that the government may not be prepared they are still hopeful that the national IT policy might still help mitigate these issues. In fact, there is a worldwide belief that regulation will somehow solve it all. But the flip side is that when there is too much focus on regulation and compliance with the checklist designed for it the focus may shift from securing the network. On the other hand, when the executives request for more security budget and head count, because they have to deal with some of these security issues that had been ignored before regulation was put in play, they can certainly get the budgets they have been requesting because all of a sudden it becomes the highest priority to comply.

How do you define critical infrastructure with respect to the government?
It is a challenge for the government because it needs a number of resources in order to try to mitigate risks, particularly here in India because so many of these responsibilities fall on the government. The other challenge that the government faces is to have in-house cyber security talent so that it does not have to depend on outsourcing all the time. So, there are issues of manpower as well as cost. This is not just in India; governments around the world are facing these challenges.

How vulnerable is our critical infrastructure, such as power grid or air traffic control?
There are three main threats: sabotage, exfiltration of data or data theft and extortion. In case of sabotage, of air traffic control or power grid, it’s very clear that we are going to lose power in certain segments of the grid. Obviously, any such sabotage will be a big blow to the government which will be forced to either pay off the demands or deal it with otherwise. Exfiltration of data is even harder to deal with. It is important how the stolen information is going to be used. Exfiltration of data can have an impact on the business along with the government. The information on what decisions have been made can give competitive advantage to those who procure it by stealing. I think exfiltration of date is the scariest threat to deal with because you don’t know what the outcome is going to be. And you certainly don’t know in many cases or have knowledge of when this malware is being planted to do the exfiltration, how long it has been there, what information has it now stolen and exfiltrated out of the government network.

Are these cyber threats most likely to emerge from China and Pakistan?
From a vendor’s point of view, it’s very difficult to pin the blame without additional inside information. When it comes to economic advantage, it can almost be any country. I would like to say that we as nations don’t take care of all our vulnerabilities. Our cyber security preparedness is like keeping the front door open for robbery. So can we really blame that other country? Or do we need to look back at ourselves in terms of protecting ourselves. Am I doing everything to protect that data, or am I going to blame the other guy for stealing it because I did not appropriately protect it?

What appears to be the purpose of these threats – spying, derailment of infrastructure or something else?
Without knowing the specific details of the attack, it is difficult to tell. The Stuxnet attack, for example, could have been a case of sabotage in this country. I think the broader thing is use of it as a wakeup call before it does bring down the entire grid, or it does bring down the IT infrastructure of the government. The Stuxnet could have created much more damage to us around the world than it did.

Is the Indian IT Act enough to deal with cybercrime? Shouldn’t we have a global mechanism when we know cybercrimes happen across borders?
One of the things that the global fraternity has been talking about is how much do we outsource to the countries which lack cyber security laws. And I think countries around the world need to be cognizant of that reality. As the number of data breaches increase around the world regardless of the location, there will likely be more and more attention on the data protection legislations. The European Union has very stringent data protection laws. Australia is considering this for some time. The US has an approach that differs from state to state and now it is looking at the federal level too. Canada is very stringent as well, just like the EU, and so the question is whether we should send data to a country that doesn’t have privacy laws. I think that would be a challenge. I think countries will be very concerned about it and will demand protection for the data and that’s again presuming that data is what’s being outsourced and not other types of services that don’t bring as much risk.
 

Comments

 

Other News

‘World’s biggest festival of democracy’ begins

The much-awaited General Elections of 2024, billed as the world’s biggest festival of democracy, began on Friday with Phase 1 of polling in 102 Parliamentary Constituencies (the highest among all seven phases) in 21 States/ UTs and 92 Assembly Constituencies in the State Assembly Elections in Arunach

A sustainability warrior’s heartfelt stories of life’s fleeting moments

Fit In, Stand Out, Walk: Stories from a Pushed Away Hill By Shailini Sheth Amin Notion Press, Rs 399

What EU’s AI Act means for the world

The recent European Union (EU) policy on artificial intelligence (AI) will be a game-changer and likely to become the de-facto standard not only for the conduct of businesses but also for the way consumers think about AI tools. Governments across the globe have been grappling with the rapid rise of AI tool

Indian Railways celebrates 171 years of its pioneering journey

The Indian Railways is celebrating 171 glorious years of its existence. Going back in time, the first train in India (and Asia) ran between Mumbai and Thane on April 16, 1853. It was flagged off from Boribunder (where CSMT stands today). As the years passed, the Great Indian Peninsula Railway which ran the

Vasudhaiva Kutumbakam: How to connect businesses with people

7 Chakras of Management: Wisdom from Indic Scriptures By Ashutosh Garg Rupa Publications, 282 pages, Rs 595

ECI walks extra mile to reach out to elderly, PwD voters

In a path-breaking initiative, the Election Commission of India (ECI), for the first time in a Lok Sabha Election, has provided the facility of home voting for the elderly and Persons with Disabilities in the 2024 Lok Sabha elections. Voters above 85 years of age and Persons with Disabilities (PwDs) with 4

Visionary Talk: Amitabh Gupta, Pune Police Commissioner with Kailashnath Adhikari, MD, Governance Now


Archives

Current Issue

Opinion

Facebook Twitter Google Plus Linkedin Subscribe Newsletter

Twitter