India, Malaysia Eye Cybersecurity PartnershipBut Which Nation Has the Expertise to Lead Threat Response?
Another important initiative by PM Narendra Modi, as part of his South East Asian visit, is to get his cybersecurity team to strike a chord with Malaysia's and agree on a mutual response to growing cyber threats. This is indeed commendable. But the question is about the seriousness attached to the pact and its execution. Also, which nation will take the lead, and what kind of best practices will they share? Who has the expertise for handholding, given that both are at too nascent a stage in cybersecurity practices?
The agreement signed between the CERT-In and Cybersecurity Malaysia seeks to promote closer cooperation and exchange of information about cybersecurity incident management, technology cooperation, cyberattacks, prevalent policies, best practices and mutual response to cybersecurity incidents.
Does India understand Malaysia's cybersecurity vision and vice-versa, and has it worked out practical approaches to exchange best practices, if any?
Modi is on a spree to sign bilateral agreements with all nations across all spheres, which only indicates he wants to make hay while the sun shines, and that he wants to envelop all the best practices from all nations for his own political reasons.
But is this approach practical?
What's missing is whether the team has done its homework before signing such agreements. Does India understand Malaysia's cybersecurity vision and vice-versa, and has it worked out practical approaches to exchange best practices, if any?
On the one side, India's National Cyber Security Policy approved in July 2013, with the objective to build a secure and resilient cyberspace for citizens, businesses and the government, is criticised by most. The biggest knock: It's restricted to being merely a draft paper and doesn't really chalk out a clear implementation strategy.
Meanwhile, Malaysia's National Security Vision to secure the country's critical national information infrastructure and make it resilient and self-reliant to promote stability, social well-being and wealth creation is also broadly defined, with no clear implementation plan.
One good move is that both India and Malaysia have an exclusive cybersecurity office with the head reporting to the prime minister's office.
However, with no clear implementation plan by either government, and by only depending on the multi-stakeholder approach with the industry to building the framework for a cybersecure ecosystem, this approach will not go very far.
Dr. Amiruddin Abdul Wahab, chief executive officer, Cybersecurity Malaysia, ministry of Science, Technology and Innovation, agrees that most online fraud or cybercrime-related activity occurs because of lack of knowledge. This gap must be addressed by evolving new awareness programs and coming up with a stronger cybersecurity policy.
"This is only possible if we work with the industry, academia and experts and completely leverage the public-private partnership model in building the necessary ecosystem and fight new threats," he says.
It has to be a top-down approach where the cybersecurity heads of the both governments evolve a structure and roll out specific programs to leverage expertise.
Where is the Challenge?
The challenges for both nations are common. The cybersecurity policies do not go into detail regarding the approach or mechanism needed to fill the gaps.
The tall claims about creating a cybersecure country are not supported by the mechanism. Gaps exist in addressing individual privacy issues, protection of data, bridging skills gaps, structure to make the multi-stakeholder plan work, funding the programs, the structure of R&D, and above all, the information sharing mechanism.
Dr. Wahab also believes that Malaysia's cybersecurity policy, drafted almost 10 years ago, must be reviewed.
The challenge that both nations face comes from increased cyber threats, which have expanded to an unprecedented level.
What should be the Game Plan?
As Modi said, India and Malaysia will continue to deepen their cooperation. "The recent spate of attacks in different countries, not to mention the ceaseless terrorist attempts against India and Afghanistan, are a reminder of the global nature of this threat."
He sees the need to have an early conclusion of an agreement on Mutual Recognition of Degrees. But is that all? If not, where do you begin?
For any partnership, the origin is about knowledge and skill transfer. Unfortunately, the two nations agree the global supply of cybersecurity professionals is unable to match the market's explosive growth.
India cybersecurity chief Dr. Gulshan Rai's take on resolving the issue is:
- Take a multilateral approach, given that cybersecurity will be an important focus;
- Invite private and public to support the R&D; the government will follow;
- Develop innovative methods of building the scale of security operations among enterprises
India needs to build a capacity of 500,000 cybersecurity professionals by 2020, while Malaysia's Dr. Wahab's target is building 10,000 by 2020.
In my opinion, the modus operandi should be defined regarding:
- Skills exchange programs between the two nations - to identify the gaps and bridge these leveraging mutual expertise;
- Jointly build cybersecurity awareness programs ;
- Share best security practices and thought leadership in building cybersecurity models;
- Encourage the academia in both nations to drive research and innovations in cybersecurity;
- Share information about potential threats, identifying sources of origin with intelligence, mitigating strategies, etc.
India's newly formed cybersecurity task force, an initiative by NASSCOM and DSCI to drive innovations, skill development and frameworks, must collaborate with a similar group from Malaysia under the supervision of the cybersecurity office to develop the blueprint and enable experts from the regions to combat cyber threats.
This would meet the objective of enhancing cybersecurity competency by gathering academicians, the government and relevant industries to discuss the issue and build a set of standards to certify cyber professionals at the level of universities and professional bodies.