Analysis: U.S., India Cyber TalksExperts Say Dialogue is Fine, But Defense Needs New Approach
U.S. and India cybersecurity leaders convened in Washington, D.C., this past week to discuss new collaborative ways to combat cybercrime and improve global cybersecurity.
And while Indian cybersecurity experts react positively to the dialogue, they say a new systematic and multi-pronged strategy is necessary to reduce cyber-threats.
"Unless the government brings out a national policy of data privacy and strengthens its cyber laws and policies imbibing best practices from other states, it would be futile," says Chennai-based V Rajendran, president, Cyber Society of India.
Dialogue and Goals
Over the course of the dialogue, the US-India Business Council's senior leaders reviewed many issues, including cyber threats, information sharing and incident management. There also was emphasis on cybersecurity cooperation in the context of "Make in India" efforts to combat cybercrime, improve internet governance, as well as norms of state behavior in cyberspace. Indian security leaders highlighted areas of priority that need immediate attention by the government to tackle cybercrime.
For more specific details about the discussions, ISMG reached out to Department of Electronics & Information Technology officials in India, as well as National Cyber Security Co-ordination Centre's head Dr. Gulshan Rai, who was part of the delegation.
Rai expressed his inability to disclose any details and the future course of action. The director general of CERT-India, B J Srinath, said he was not part of the delegation and had yet to receive a briefing.
But Indian cybersecurity experts, eyeing the dialogue from a distance, say this dialogue must spark the beginning of cybersecurity policy evolution in India.
"After a long gap, we see a positive gesture from the Indian government in tackling cybercrime as a global strategy, and being ready to learn," says Rajendran.
"India must come up with dedicated legislation to protect and preserve its cybersecurity and sovereignty and learn from the Chinese experiment in bringing its new law on national security to include cybersecurity as an integral component," says Delhi-based Pavan Duggal, a cyber-law expert and advocate, Supreme Court, and president, Cyberlaws.net.
Experts: What India Needs Now
According to the latest statistics, India's cybercrime is growing at an annual rate of 79 percent. But, India, which spent $7.76 million on cybersecurity in 2013 compared to $4.7 billion by the U.S., is challenged to find the resources to keep pace with the crime expansion.
Against this backdrop, Mumbai-based L S Subramanian, cybersecurity security consultant to large enterprises and founder, NISE, says nations - in the short term - must create cyber-armies to protect their countries.
The long-term strategy would be to enhance cybersecurity skills, educate citizens on security threats and develop new frameworks, laws and solutions, he points out.
In response to the joint statement issued by the U.S, and India regarding the nations coming together closely, along with the industry and civil society, to raise cyber defences, short and long term, Duggal says this initiative must be a constant exercise, not a one-time effort.
The governments, he says, must chart a step-by-step approach to achieve the following objectives:
- Create platforms for facilitating discussion and exchange of thought processes and information regarding breaches of cybersecurity;
- Assist each other in detecting, identifying and prosecuting cybercriminals in their respective countries;
- Create common minimum denominators regarding cybersecurity, acceptable to both;
- Enact new, dedicated cybersecurity legislation, as the Information Technology Act, 2000 is thoroughly incapable of addressing cybersecurity challenges of the current times;
- Facilitate common and accepted understanding on minimum common denominators which can be circulated with other countries;
Role of Public, Private Partnerships
Both nations agree that public and private cooperation is essential to protect against further attackers, an idea promoted by U.S. President Barack Obama.
Subramanian says there can be a public and private partnership in defence, but that governments must take charge of the partnership dialogue, rather than allow it to be controlled by security vendors.
"Unfortunately, in the defence of the cyber world, vendors are ahead of governments and hence, forced to lead the partnership - not a great idea for any government," he says.
A word of caution from Duggal: "Governments must quickly realize that a lot of critical information infrastructure is in private hands. Hence, the Indian government must come up with appropriate parameters to leverage public-private partnerships."
Although public and private partnership is a thrust area of the National Cyber Security Policy, not much has been done yet to promote it.
As a future step, the U.S. and India are to work on international standards for cybersecurity.
Since the Internet has made digital markets borderless, many believe international standards are necessary to protect the flow of data and reduce risk of breaches.
Currently, there is no international consensus on cybercrime. The Convention on Cybercrime of the Council of Europe is the only instance of a working treaty on the topic, experts say.
"India must urgently realize that it must be part of international protocols -combating cybercrime is not a national phenomenon regulated by national legislations only," argues Duggal.
Subramanian emphasizes having a global understanding of cybersecurity to develop standards: "If not, you will see the emergence of country-controlled internets," he says. "China has already taken the lead; it would not be the right move to tackle cybercrime."