Chander: India's Cybersecurity ChallengeEx-NCIIPC Director Chander on Government's InfoSec Posture
The Indian government has been slow to address emerging cybersecurity issues. But there are several members of the fraternity who are trying to spark progressive change within the system. Among these rising voices is that of Dr. Muktesh Chander, IPS.
"It is very important for security practitioners to acquire new skills to stay in business," says Chander, the former National Critical Information Infrastructure Protection Center director and a leading information security evangelist. "I believe there is a huge gap between what is happening in the landscape and where organizations are."
In this exclusive interview with Information Security Media Group, Dr. Chander shares insight and advice from his journey as a law enforcement officer and an information security practitioner and thought leader. He also addresses:
- Issues around awareness and education and the shortage of skilled professionals in India;
- Steps India needs to take to address challenges in the current security landscape;
- Some government initiatives and policy in the offing.
Dr. Chander a special commissioner in the Delhi police and is a former Center Director for the National Critical Information Infrastructure Protection Center and is an IPS officer from the 1988 batch. He holds a degree in Electronic and Telecommunications engineering, a master's degree in Criminology and Forensic Science and a degree in law from Delhi University. He has also served as a special United Nation Police Observer in Bosnia and Herzegovina. He was recently awarded a PhD in Information Security Management by The Indian Institute of Technology, Delhi.
Cybersecurity and Law Enforcement
Varun Haran: Could you share some highlights from you career as a law enforcement officer and a cybersecurity practitioner?
Muktesh Chander: I have been interested in cybersecurity ever since I got involved in cyber-crime investigations. Being a technical graduate and also holding a law degree, it was natural for me to veer toward a specialization in cybersecurity because I can see the phenomenon from all three perspectives -- policing, legal, as well as technology.
As a police officer with a technical background, I was involved in a lot of projects related to the introduction of new technology into policing in India. To name a few, the introduction of biometrics in the police recruitment, the introduction of a digital dossier system, and the introduction of computerized remote identification of suspects, among several others.
I feel technology can help police in ensuring transparency, and expedite service delivery to citizens. Efficiency and collaboration within the force and other police organizations increases. I believe that many of these initiatives are low cost, only requiring a little bit of innovation on the part of police officers and organizations, which can go a long way. For instance, the police are using social media, which is very popular with young users, to great advantage. We recently launched a Whatsapp service for the traffic police where citizens can connect with us directly to address grievances.
The Skills Gap
Haran:What are some of the skills practitioners will need to stay relevant in the face of emerging threats?
Chander: It is very important for security practitioners to acquire new skills to stay in business. I believe there is a huge gap between what is happening in the landscape and where organizations are.
I believe cybersecurity is not just a technical subject - a lot of managerial, human and organizational angles are involved. Information security professionals also have a big role to play in boardroom activities. They will be instrumental in sensitizing top management and boards about the importance of cybersecurity. They need to help organizations adopt a risk management approach.
Education, training and awareness play a very important role here. I agree with the Department of Electronics and Telecommunication that we are facing a serious shortage of cybersecurity personnel in India. To face today's threats, cyber security practitioners need to not only be competent in their own fields, but also need to take a multidisciplinary approach.
Haran: Many ambitious projects have been incubated by the government to promote information security skills and create a skilled pool of cybersecurity experts, like the National Cyber Security Policy and the National Security Database. These haven't produced any tangible results. What are some of the challenges?
Chander: I disagree. We have made a lot of progress. The National Cyber Security Policy of India and the guidelines for critical information infrastructure protection have been issued. I am sure that the National Critical Information Infrastructure Protection Center will come out with sector-specific guidelines very soon. We have our IT Act 2008 (Amendment) that mandates reasonable security practices to be followed by organizations that deal with sensitive information.
Most importantly, the critical information infrastructure has been defined. There is a punishment described for cyber terrorism. I believe that a lot of ground has been covered from a legal as well as policy perspective.
The next big challenge is implementation. This is a massive task which must begin in real earnest - this is where the role of cybersecurity professionals in the industry will stand out. They must be ready to deliver.
Educational institutes need to help in fulfilling the demand-supply gap in skilled professionals. I think a lot of educational institutions have already started courses in cyber security as part of their B.Tech and M.Tech curricula. When I was the center director at the NCIIPC, I have corresponded with educational institutes on the importance of introducing specialized, regular courses in cyber security. In the same way, a lot of security professionals are pursuing professional certifications in information security.
Critical Infrastructure Protection
Haran: While critical infrastructure may have been identified, strategic sectors like Oil & Gas, Power still do not have a dedicated security function. What is the holistic way forward?
Chander: I think starting from the nodal officer in every ministry and department, all organizations need to designate a senior level functionary as the CISO to protect information assets. They need to follow the notifications and guidelines in letter and spirit to enable them to move forward and establish their own holistic security practices.
All critical sector organization must declare systems which are sensitive as protected systems under the IT Act, section 70(A). There is an immediate need to provision adequate resources for these function in terms of budget and personnel, in addition to creating functions with the organization to discharge these duties. A single CISO entrusted with this job without budgets or resources won't be able to do justice to expectations from his role.
We need a proper data protection law in this country which is specific to data security. As of now we have a mix of laws which address everything from cyber-crime, arbitration, security in a piecemeal manner. We need a separate legislation exclusively devoted to Information Security in India.