Creating Private-Public PartnersWhat Are the Key Ingredients for Effective Collaboration?
Alhough developing effective public-private partnerships is a key part of India's National Cyber Security Policy, security leaders say little progress had been made to nurture these relationships.
Are there lessons India can learn from its western counterparts to develop these relationships and improve the nation's capabilities to protect its critical infrastructure?
The discussion comes in the wake of recent cyber ecurity dialogue between the U.S.-India Business Council and industry partners to reduce cybersecurity threats through targeted public-private partnerships. Both nations agree that public and private cooperation is essential to protect against further attackers. But India to this point has been challenged to create effective partnerships.
Dinesh Bareja, principal adviser-IS practice at Pyramid Cyber Security and Forensics Pvt. Ltd and Infosec Consortium, argues that the government's current proposal to invite private players does not articulate the projected return on investment for the prospective private partners for their efforts to develop a new product or a service.
"There are no incentives, subsidies or monetary support in the form of [standard operating procedures] for partners, and government is unable to define the structure of the partnership model," Bareja says.
Assessing Partnership Model
The 2013 India National Cyber Security Policy makes a specific mention about developing effective public-private partnerships to facilitate collaboration and cooperation among stakeholder entities including private sector; to create models for collaborations and engagement with all relevant stakeholders; and to create a think-tank for cybersecurity policy inputs, discussion and deliberations.
Industry bodies such as Nasscom and DSCI came up with a framework early this year, placing public-private partnership in the cybersecurity ecosystem along the lines of cyber policy. An although the government says it has made efforts to involve the private and public players in the security initiatives, the approach has been haphazard, security leaders say. They add that the approach has been ineffective and impractical owing to several issues.
Coimbatore-based S N Ravichandran, cyber investigator and member, Cyber Society of India, believes the issue is with regard to lack of transparency in the government's communication process and ignorance on what needs to be done. Devoid of a mechanism to verify and authenticate private parties to participate in such exercises is also the reason for its ineffectiveness, he says.
"Government is handicapped in terms of identifying and selecting the right partners on the basis of merit, as the private public partnership model is loosely defined or understood," Ravichandran says.
The crux of the issue is related to constraints faced by the private players in the procurement process, says Sahir Hidayatullah, CEO of Smokescreen Technologies Pvt. Ltd., a security player and a member of the Nasscom-DSCI Task Force.
For instance, the government is bullish about encouraging security technology startups to be part of the Make in India initiative, but then it is restricting entry into participating in the tender with critical clauses. Every private or public party needs to be empanelled in CERT and has to make an earnest deposit of $1 million, supported by a quality rating, which is a challenge for many players where the return on investment is not assured.
Hidayatullah also believes that the mandates related to developing cybersecurity defenses are not clear. Supporting the view, Ravichandran says the government is using private players on a case-to-case basis where defenses have been breached.
Use of security companies of foreign ownership is itself a security breach, leaders say, but the government has very little choice since there are no indigenous companies that can deliver results.
"Government is not in a position to assess if the departments are using the right methods or skills to protect their critical infrastructure, as there is no mechanism to monitor, owing to the decentralised structure and disparate systems," Hidayatullah says.
Working PPP Model
Despite these challenges, the Indian delegation's recent visit to the U.S. has raised hopes among the security leaders that new partnership strategies will be worked out.
R Guha, Wipro's cybersecurity head and part of DSCI's task force involved in developing a cybersecurity ecosystem, says India is keen to engage private sector and academia to develop a sustainable, secure environment.
"There is an urgency to create a safer country, and new models are being evolved to put up an information-sharing model with strict timelines," he says. "Interestingly, government is engaging top integrators, service providers, vendors, academia and other private bodies constantly in dialogues on improving cybersecurity capabilities."
According to Hidayatullah, government has to initiate a few aspects to develop a sustainable PPP model:
- Evaluate the breach cases involving private players to understand the gaps;
- Modify the tendering and procurement process to develop cyber security products and services;
- Bring in more subsidies to encourage private players to participate in developing cyber defences, and create opportunities for them;
- Constantly audit and monitor the mechanisms in place.
"As a good defense, government should prescribe stringent security standards for every service, such as the National Institute of Standards and Technology SP 800-53 standard, the security controls defined for use by organisations in protecting their information systems and assets, or others, to be strictly adhered by the private and public partners in protecting the environment," he says.
Durga Prasad Dube, head of information risk management at Reliance Industries, says the government should involve consumers from the non-regulated industries in the cybersecurity dialogues with other vendors to understand the real challenges.
"Government of India should take a functional approach in developing cybersecurity defense model, engaging with the security practitioners along with partners to build appropriate skillsets and a proof of concept, without restricting it to being a document," Dube says.
Bareja says, this is a simple planning and strategizing process: Identify the needs; envision the requirement(s); define the objectives, scope and terms of working; list the incentives that will be provided to partners; invite participation, and select the partners.
Ravichandran says, "Government's role should be appoint a central agency to drive this partnership model and restrict itself to monitoring and stepping in when there is a breaking of law or overstepping of responsibilities. The body's role will be to train, certify and regulate the working of cybersecurity personal and be accountable for them."
Given the challenges, as a future initiative, the task force formed by DSCI and Nasccom has put a mechanism in place to compile the data of cybersecurity service providers, product vendors, technical and academic institutions and indigenous manufacturers to get first-hand insight on creating an evaluation parameters, says Hidayatullah.
"The members of the task force will evaluate the use cases, capabilities of each player or institution and put forth its recommendation to the government in terms of selection the private and public players soon," Hidayatullah says.