Cybersecurity: What Should MHA's Priorities Be?Security Practitioners Weigh In on Key Investments
The Union Ministry of Home Affairs has informed the Finance Commission about its budgetary requirements for over INR 3.5 lakh crore for internal security between 2020-25, with a significant, but unspecified, portion to be allocated to cybersecurity. The budget is yet to be approved by the Finance Commission.
In light of the budget proposal, security practitioners are weighing in on the kind of security investments the MHA needs to make. Among their suggestions are investments in newer technologies, including machine learning, artificial intelligence and advanced forensics.
But some security experts are raising questions about whether comprehensive cybersecurity policies and technologies will actually ever be implemented, regardless of the size of the MHA internal security budget.
"Often in the past, the declared cybersecurity policy has proved to be a paper work alone with no actual implementation," says Rajesh Dangi, chief technical officer at NxtGen Infinite Datacenter, a cloud-based datacenter. "Investments in a single technology or policy cannot be considered a panacea for all cybercrimes and attacks in India."
The MHA briefed the Finance Commission on various measures it is implementing that require continued capital expenditures, including, for example, modernization of police forces' crime and criminal tracking networks and systems, The Deccan Herald reports.
Capital investment is also required to make appropriate use of new technologies for cybersecurity and border management, the MHA said, according to the news report. MHA will submit a detailed memorandum to the panel, it said.
Although the MHA proposal does not spell out how much will be spend on cybersecurity, many security practitioners expect it will be a significant amount.
In fact, last year, the Ministry of Information and Technology, or MeitY, asked all the ministries to spend 10 percent of their IT budgets on cybersecurity.
"In 2018-19, the IT ministry has got INR 5,500 crore for various things under it, including cybersecurity, which is significantly more than INR 4,040 crore allocated last year. In last five years, there has been significant increase compared to India's budgetary allocation towards cybersecurity which was about INR 42.2 crore in 2012-13, and just INR 35.45 crore in 2010-11," Dangi says.
The government already has invested in the National Cyber Coordination Center and the National Critical Information Infrastructure Protection as well as in improving national cybersecurity coordination efforts. (See: India's Cybersecurity Efforts: Too Much Redundancy?)
In 2017, the MHA announced multiple measures to tackle cybercrime. For instance, the ministry, under the leadership of Rajnath Singh, recommended setting up of a Cyber Crime Coordination Center with branches across all states.
The MHA had also announced the formation of an Inter-Ministerial Committee on Phone Fraud - with members from the Ministry of Electronics & Information Technology, Department of Financial Services, Department of Telecommunication, Reserve Bank of India and law enforcement agencies - to address the problem of banking fraud.
But the Cyber Crime Coordination Center has yet to be set up. Meanwhile, some security practitioners claim that the Inter-Ministerial Committee on Phone Fraud has had little impact so far.
Protecting the Supply Chain
Among the areas of concern yet to be adequately addressed by the government, some security experts contend, is ensuring security throughout the supply chain.
"One of the areas where I see very little progress being made is the manufacturing hardware space. As a result, there is always a danger of supply chain adulteration, which leads to major cybersecurity breaches," says a forensic expert working with the government of India who did not want to be named. "We need to urgently make the entire ecosystem conducive growth of indigenous companies. Government, too, has been stressing this, but I have yet to see any concrete steps in this direction." (See: India Wants Home-Grown Products for Telecom Security)
Vinayak Godse, senior director with Data Security Council of India, an industry body on data protection, believes government's invest is critical for building desired cybersecurity capabilities in the country.
"Today the entire paradigm is shifting toward high-speed computing. The investment would be required to develop security capabilities for the regime of high speed traffic," Godse says. "Quantum computing, hardware security, advanced forensics, protocols for security automation, deception technologies, networks, software designed infrastructure, blockchain, ML [machine learning] and AI [artificial intelligence] for cybersecurity need to be taken into consideration."
Lack of Coordination?
Although the government of India has formed multiple cybersecurity agencies to address specific areas, some security practitioners contend that the activities of these agencies are not coordinated because they have loosely defined responsibilities and boundaries.
"Every year the government comes up with a new cybersecurity center. Have they bothered to check the efficiency of the existing ones?" asks the forensic expert, who requested anonymity.
The government has failed to draft a policy that takes both technical and legal aspects of security into account, some practitioners argue.
"Section 43A of Information Technology Act refers to 'reasonable security practices and procedures' as determined by a law in force or agreed by parties," Dangi says. "As of now there is no law, and in its absence the parties are free to decide on the security standards to be adopted," he adds.
Other shortcomings, Dangi says, include the lack of state-of-the-art tracking infrastructure and inadequate information sharing among law enforcement agencies.
"One more issue is training of the LEAs and the judiciary to increase the success rate of the cases," he adds. "We also lack cybersecurity experts, cyber forensic experts and skilled manpower to tackle various issues that arise."
Dinesh Bareja, COO at Open Security Alliance, a cybersecurity consulting firm, says the government should create a cadre of specialists to augment cybercrime capability. "Skill building must not be restricted to hacking techniques, but also ensure the creation of specialists in psychology, data mining, white collar crime, intelligence, social engineering, etc.," he says.