India's Cybersecurity Efforts: Too Much Redundancy?Some Security Experts Question Need for Two New Initiatives
Some security practitioners in India are questioning the value of the government setting up a CERT for the financial sector as well as a second Cyber Coordination Centre in Delhi to help deal with the changing cyber threat environment.
Instead, they argue, the government should focus on improving the efficiency and effectiveness of existing agencies, including CERT-In. "Let the existing ones function properly and only then come up with new ones, if needed," says J. Prasanna, director at the Cyber Security & Privacy Foundation Pte Ltd.
The government contends CERT-Fin, which was proposed in February, is needed because of the increase in cyberattacks against financial institutions over the past year. Furthermore, the government's push to rapidly expand the use of digital transactions is raising concerns about the growth of cyber fraud.
And now the government has announced plans to create a Cyber Coordination Centre in Delhi, in addition to the National Cyber Security Centre that is already in place. In a recent meeting between banks and the government, bank executives expressed concerns over cybersecurity, especially in the wake of recent WannaCry attacks.
Details on funding of both efforts, as well as the specific duties of both new organizations, have yet to be released.
Is There a Need?
The two new organizations that the government is launching will face turf issues, including loosely defined responsibilities and boundaries, some security practitioners say.
Plus, some question the need to create CERT-Fin when CERT-In has yet to make a major impact. Similarly, they argue that the new centre in Delhi isn't needed because the National Cyber Security Centre is just getting rolling.
The government should focus on ramping up the capabilities of the national CERT, several security experts say. "While a CERT is supposed to be 'emergency response' one has to make sure that response is a primary responsibility and not just advisories," Dinesh Bareja from Open Security Alliance stresses.
So far, CERT's advisories have been far too vague, Prasanna contends. "We have a CERT that we are unable to run effectively and now we have another to be run, while there are other not-so-useful cybersecurity organizations in the country," he says. "Banks tell us that more often than not they don't follow the warnings issued by CERT-In. It often fails to respond when queries are sent."
Security practitioners also expressed their reservations about creating another Cyber Coordination Centre in Delhi. "It will be interesting to know what it will do. For example, the RBI has set up ReBIT and I am not much aware of it," he says. Because India already has a National Cyber Security Centre and many such still-born centres in place, some practitioners contend that creating more units will only add to the confusion. "The problem is that there are multiple cybersecurity centres and the mandate seems to be vague," Bareja says.
When launching new organizations, "the biggest challenge will be able to guarantee wholehearted participation from different stakeholders," says Sivakumar Krishnan, former head IT and information security at M Power Microfinance. "It's not an easy task to set up the process between various departments and sectors. It will have to undergo several iterations before it's fine-tuned."
How They Should Function
Security experts also are debating the best way to fund and supervise the two new agencies, if, indeed, they move forward.
Bareja says CERT-Fin should be funded by a neutral body. "It should be under any of the central agencies like National Technical Research Organisation or NTRO, National Critical Information Infrastructure Protection Centre or NCIIPC, CERT-In etc," he says.
But Prasanna argues that both CERT-Fin and the Cyber Coordination Centre should be brought under the RBI, the central bank . "Only then will companies take these bodies seriously," he argues. "At present, most companies and banks don't take recommendations by CERT seriously. However, RBI's recommendations or directives are taken into consideration by banks because they understand the power RBI has."
K.K. Mookhey, founder at NII Consulting, shares that view. "RBI is one of the most proactive and aggressive regulators in the cybersecurity space. The RBI has consistently come up with clear-cut guidelines for the banks in India," he says.
For now, only time will say if the new cybersecurity centres is actually a wise decision on the part of the government or not.