Securing Digital IndiaEastWest's McConnell on the Risks that Must be Mitigated
Bruce McConnell, senior vice president of EastWest Institute, says that cybersecurity is not a technology problem that can be 'solved.' Rather, it is a risk to be managed by a combination of defensive technology, astute analysis and traditional diplomacy.
Prime Minister Modi's Digital India program must leverage this opportunity in building capacity and developing a cybersecure eco-system as a priority through a strong public private partnership, while protecting the nation's digital identities.
"This would be possible only when security experts of the industry support the government in filling the knowledge gap and enable organizations to recognize cybersecurity from a business perspective," he argues.
Another imperative, he sees, is to educate boards of directors when it comes to handling cybersecurity. For this, he says, security practitioners need to start speaking the business language to unblock communication flow.
"To secure cyberspace, the Indian government must work with the industry to design a secure technology infrastructure from the ground up," says McConnell.
In this interview with Information Security Media Group, conducted recently in Bangalore, McConnell points out that a new security governance structure must be evolved within organizations, and the CISO role must be evolved as an exclusive function.
Other important aspects securing the cyberspace include:
- Promote the implementation of reasonable security practices;
- Collect appropriate cyber forensics data in various jurisdictions;
- Build incident management and sharing of information with a view to creating an international incident response system.
US-based McConnell leads EWI's relationship-building with government and businesses around the world. He also manages the institute's Cooperation in Cyberspace Initiative. Beginning in 2009, McConnell was a leader of the cybersecurity mission at the U.S. Department of Homeland Security. He became Deputy Under Secretary for Cybersecurity in 2013, responsible for ensuring the cybersecurity of all federal civilian agencies and for helping the owners and operators of the most critical U.S. infrastructure protect themselves from growing cyber-threats. Before DHS, McConnell served on the Obama-Biden Presidential Transition Team, working on open government and technology issues.
GEETHA NANDIKOTKUR: You have been emphasising that cybersecurity is not a technology problem, it is a matter of risk management. Please elaborate?
BRUCE McCONNELL: Yes. We at EastWest Institute believe that cybersecurity is not a technology problem that can be 'solved', it is a risk to be managed by a combination of defensive technology, astute analysis and information warfare, and traditional diplomacy. Cyberattacks constitute an instrument of national policy at the nexus of technology, policy, law, ethics, and national security. Indian enterprises should not underestimate its importance as cyber security throws up challenges and opportunities and it then becomes an issue of management. The government should handle cyber-attacks through collective action, since the infrastructure is owned and operated by the private sector, and cyberspace passes through various legal jurisdictions all over the world. The Indian government should engage in supporting its private sector for cybersecurity through effective public-private partnership models, with clearly-defined roles for the government and industry. It all boils down to how the Indian government and enterprises manage their risks.
Ingredients to secure cyberspace
NANDIKOTKUR: You have been advising enterprises on securing cyberspace. What are the most essential ingredients for securing cyberspace?
McCONNELL: Be it the government or corporate, enterprises must understand that when it comes to security cyberspace, collaboration is vital. Since cyberspace is relatively new, legal concepts for 'standards or care' do not exist. Enterprises or the government must take appropriate steps in their respective jurisdictions to create necessary laws, promote the implementation of reasonable security practices, incident management, and information sharing mechanisms, and continuously educate both corporate and home users about cybersecurity. One of the key challenges is lack of awareness and shortage of skills to recognize cybersecurity from a business perspective.
Educating board members is key when it comes to handling cybersecurity. For instance, security practitioners need to speak the business language to unblock communication. I would recommend security teams draw references of various contingency plans that the board will evolve in the likelihood of a disaster--be it with regard to a typhoon, labor strike, market fluctuations or any other risk. Relate cyberattacks/threats to a similar situation where the critical data is stolen or compromised, and question what should be the plan to tide over the adversity. Board members will immediately resonate with the scenario and work out a plan of action.
NANDIKOTKUR: What is your advice to the Indian government on building capacity?
McCONNELL: It is not just about building capacity of professionals, but also about creating awareness. Government and large enterprises need to partner with the academia to develop cybersecurity courses. It is also about creating cybersecurity awareness among the 'C' suite and draw the management's attention to cybersecurity risks. The Digital India vision should take this as a priority. The Indian government must work with the industry to design a secure technology infrastructure from the ground up. The security roles must be widened and the reporting structure must change. Every enterprise must create a risk portfolio and make the CISO in charge of the same. CISOs must report to CFOs or risk officers and directly communicate with the top management and not to CIOs. The CIO role must be to bring technology quickly and at a cost effective price and not take security decisions. India has a great opportunity to make these structural changes that govern security. Besides, the government must work with the industry to design a secure technology infrastructure from the ground up. This should be driven by a market-based program, but one that is not a completely voluntary model.
Cybersecurity lessons for India
NANDIKOTKUR: What are the fundamental lessons for India in building a cybersecure eco-system and creating a security culture?
McCONNELL: While making the necessary investment in building capacity which is a primary need, India must protect its digital world and practitioners must protect its digital identities to establish a security culture and in building an effective incident response mechanism. User name and password is no longer safe and CISOs need to try deploying biometric and tokenization to establish a two-factor authentication process for securing the digital identities.
The government must understand that when it comes to security of cyber space and building an incident response mechanism, it is essential to establish a mode of securing information and data. It is not only the laws dealing with cybercrimes that must exist, but the collection of appropriate cyber forensics data in various jurisdictions and their presentation in courts of law. It is critical to build incident management and sharing of information with a view to building an international incident response system. What Digital India needs now is having an incident response and transnational co-operation, including establishment of appropriate mechanisms for co-operation. Such measures must include provisions to respond to counter cyber terrorism, including acts of sabotage of critical infrastructure and cyber espionage through information warfare.