Is India Ready for an Information Sharing Act?Leaders Say Timing is Right, But Governance is an Obstacle
Earlier this month, U.S. President Barack Obama signed into law legislation that included the Cybersecurity Information Sharing Act, which is meant to incentivize businesses and government agencies to share cyber-threat information. Is India ready for similar legislation?
See Also: 2016 State of Threat Intelligence Study
Indian security leaders say it's time to assess if India's ready to initiate such an act, to discuss potential bottlenecks and the extent of public and private players' involvement in defining the process for information sharing.
Leaders say India can emulate CISA if only it can be tailored to Indian requirements and understand the nuances of each industry's functioning and information-sharing mechanism.
Chennai-based V. Rajendran, chairman, Governing Council, Cyber Society of India, acknowledges that India has put in place the Cybersecurity Information Monitoring Agency under D.r Gulshan Rai's leadership for smooth exchange of information among various bodies. "With the data privacy legislation to roll out soon, it's only logical that an Information Sharing Act will be in place," he says.
Meanwhile, Mumbai-based Dinesh Bareja, COO of Opensecurity Alliance and founder of India Watch, says such legislation would prove to be a challenge in India because of the weak governance structure of the corporate world and fragile regulatory and judicial controls.
"While regulatory bodies like SEBI, IRDA, RBI, TRAI, DOT etc., don't have a standard guiding principle to practice sharing, we've witnessed much mention about information sharing at the sectoral level - but not for LEA needs," Bareja says.
Gurgoan-based Sriram Natarajan, chief risk officer-Retail Banking, Quattro, agrees that as a process, the law ministry and finance ministry along with RBI should initiate such a bill. "Institutions, including FICCI, CA Institute, NASSCOM should draft this bill," he says.
Critics hope the U.S. CISA framework inspires Indian industries and regulators to come up with their own similar legislation.
Beware the Bottlenecks
Security practitioners acknowledge that CISA will establish a process for the government to share information with businesses volunteering to be part of the program, and similar legislation could prove important for protecting India's critical infrastructure. But there are bottlenecks in formalizing such information sharing, because of functional disparities in governance structure across sectors.
Bangalore-based Raghu V R, president, ISACA, says, "The challenge has been getting the buy-in from business and management groups, including teams like incident response, threat management, privacy, compliance, legal, etc., who don't speak the same language."
Bangalore-based Shashidhar CN, founder and CEO, SecureiT Consultancy, claims that past experience of industry players who shared information with government bodies was not fruitful.
"The challenge was that the private sector and large parts of government enterprises - especially bureaucrats - don't understand information/cybersecurity and the importance of sharing information," he says.
Some say legislation would affect the privacy of individuals and enterprises. The Indian government is adding the final touches to the Right to Privacy Bill (protecting individuals against misuse of data by government or private agencies), and any new legislation could hinder this process.
Rajendran observes, "The biggest challenge facing the government is its right to invade individual privacy of data, and human activists demanding the government stand firmly, saying individual right to privacy and expression is subordinate to India's sovereignty."
Another factor is the lack of appropriate checks and balances against misuse of powers granted by information-sharing legislation. "There's no medium to detect misuse and demand a repeal," he says.
Justifying Public, Private Partnership
CISA advocates that public and private players voluntarily work with government entities in preventing, detecting and mitigating threats and share cyber-threat information.
Raghu points out that in India there is no streamlined mechanism for sharing across private and public sectors, and no clarity on what kind of information must be shared.
While there are regulatory bodies such as RBI for banks and TRAI for Telcos, which have prescribed rules for reporting incidents of frauds, these rules are not binding - thus, ineffective.
RBI has recommended forming a dedicated cell such as the FS-ISAC under the IDRBT to encourage information sharing.
Experts argue the government has not evolved a structure for public and private players to share inputs, or a clear modus operandi.
Shashidhar observes, "The government's condition - that only private companies with three years of operations in the country who furnish entire financial statements with a turnover in excess of a certain prefixed amount will be entitled to get empanelled as its advisory - deters sharing."
Bareja asserts that private and public players are already cooperating in their own small, relationship-based and ad-hoc ways.
"The government should conduct a survey with law enforcement groups, identify areas of information sharing and formalize the requirement through an official notification," Bareja says.
Defined Process for Information Sharing
Security practitioners say while some critics might argue against the terms of the U.S. CISA, it is well-structure and has clearly stated its mission.
The positive aspect, they argue, is that the U.S. government has taken charge of developing procedures to share information with private entities, non-federal government agencies, state, tribal, and local governments, the public, and entities under threats.
The provision for public and private companies - stating they will detect, prevent or mitigate cybersecurity threats or security vulnerabilities, and may monitor and operate defensive measures on: (1) their own information systems; and (2) with written consent, the information systems of other private or government entities - is well-articulated.
Shashidhar comments, "The Indian government must similarly evolve a consensus on how the shared information will be used, identities protected, data anonymized/sanitized before sharing with all stakeholders."
Rajendran recommends a documenting process fixing responsibility of sharing, defining terms and expressions, ensuring proper co-ordination between various regions and the centre and guarding against misuse: "I'm optimistic a bill will be introduced in the coming years, though not immediately. While it may not be an exclusive bill as in the U.S., it can be a well-defined procedure or notification backed by legal terms."
Natarajan says a secure national roadmap for information sharing is important and it should follow the process similar to RBI which mandated OTP, PIN and also biometric ID.
Raghu maintains, "The government can use sections from the NIST framework for information sharing guidelines and state the details of the information sought."
Bareja says the government should start with a central and standardized Know Your Customer database and procedure: "KYC's been around for a long time - if there's good control over the quality of information, it will aid understanding at the first level."