Separate Financial CERT Proposed: Will It Prove Effective?Indian Finance Minister's Jaitley Unveils Plans in Union Budget
In the first move of its kind, India's finance minister Arun Jaitley, included a cybersecurity proposal in his Feb. 1 union budget speech to the Indian parliament for the 2017 financial year, announcing plans to form a separate computer emergency response team, CERT-Fin, for the financial sector.
While technology and security leaders have hailed the budget as being forward looking and growth-oriented overall, there's mixed sentiment among security experts with regards to the rationale for CERT-Fin and how effective it would be (see: CERT-In: Is It Fulfilling Its Mission?).
"Cybersecurity is critical for safeguarding the integrity and stability of our financial sector. A Computer Emergency Response Team for our financial sector (CERT-Fin) will be established," Jaitley briefly said in his budget speech. "This entity will work in close coordination with all financial sector regulators and other stakeholders."
Financial Sector Cyber Risk
While there are several cybersecurity agencies operating in the country, creating a separate CERT for the financial sector, working in close conjunction with the nodal regulatory bodies, is most likely a response to the increase in cyberattacks against financial institutions over the past year. The recent massive exercise of demonetization in the country has led to a manifold increase in the use of digital transaction channels and wallets, which could eventually spur cyber fraud.
Some recent cyberattacks, including the exposure of 3.2 million debit cards as a result of a malware infection on the ATM switch network, have received unprecedented attention from the government and the Reserve Bank of India.
Effective implementation of the new CERT-Fin will require coordination from all stakeholders, including regulators and law enforcement, to ensure that cyber response works seamlessly, security experts say. The details of how the new CERT-Fin would function in conjunction with the existing national CERT and other agencies remain to be worked out.
Reaction to the Plan
The mention of cybersecurity in the union budget has been received favorably by some in the security industry who see it as a sign that the government recognizes the increased importance of cybersecurity in light of the growing risks from digitization.
Rajesh Maurya, regional director, India and SAARC at Fortinet, believes that the budget is a shot in the arm for digitization and Digital India. But these initiatives require the government to develop a strong security framework to protect sensitive information, he says.
Having a CERT for the finance sector, working in conjunction with SEBI and RBI, will help in the development of more comprehensive guidelines and regulations for financial services companies, some security experts say. Sivarama Krishnan, leader of cybersecurity at PwC India, says in a statement: "Establishing a CERT specifically for the financial services sector, and the attention toward cybersecurity in financial budget, is a step in the right direction. The implementation of the initiative will help secure Digital India.... [It] will significantly strengthen threat information sharing and consequently detection and compel [the financial industry] to increase their security spending as the CERT takes shape."
The proposed budget only committed to deliver on its promise of the "Digital India" initiative. Other large-scale digitization plans, such as the roll-out 2 million Aadhaar-based swipe machines, promoting NPCI's UPI-based cashless payment app infrastructure - BHIM (Bharat Interface for Money), which already has over 12.5 million users, and others highlight the need for strengthening cybersecurity in the government.
Web application security, device security and secure protocols need to be implemented to ensure protection of financial transactions, says Krishnan, who calls on the government to develop standards.
KK Mookhey, principal consultant and founder of the Indian security consultancy Network Intelligence, says creation of the CERT for the financial industry is much needed. Right now there's no platform available for intelligence sharing in the sector, especially in case of breaches, he says. "For example, when the debit card breach happened last year, there was no effective way to actually share critical indicators of compromise with other companies in the financial services sector."
Mookhey says the resources of CERT-In, India's national CERT covering all sectors, are stretched, so it may not be able to sufficiently handle incident response coordination. The new CERT-Fin will make a difference in addressing cyber risks for the financial sector, he contends.
But a few security experts are somewhat skeptical that the new CERT-Fin will have a significant impact.
Dinesh Bareja, COO of the OpenSecurity Alliance and founder of IndiaWatch, portays the announcement of plans for CERT-Fin as a populist move.
"We have a CERT that we are unable to run effectively and now we have another to be run, while there are many other seemingly stillborn cybersecurity organizations [in India]," he says. "This is another populist move, and I wonder what the relation of a CERT to the budget is. Other bodies, such as RBI's cybersecurity arm under Nandkumar Saravade, have yet to make their presence felt.
To shore up the efforts of the proposed CERT-Fin, the government must also launch compulsory breach disclosure in the banking and finance industry, asserts Bombay High Court Advocate Prashant Mali.
Another critical aspect of combating cyberattacks and fraud, he says, is spreading awareness of cyber risks to rural areas and to first-time users of digital finance. While he is upbeat about the proposed CERT-Fin, he feels budgetary allocation for digital literacy programs is essential to effectively address the issue of cybercrime and fraud.