India in the global cyber security market
THE cyberspace, comprising ICT networks, computer systems and mobile networks and devices connected to the Internet, is by its very nature borderless. A country’s cyber-space is an integral part of the global cyberspace. The increasing penetration of Internet, particularly in developing countries, is leading to an exponential growth in cyberspace. The rapid growth in the ownership of smart mobile devices (mobile phones and tablets) that can access the Internet has added to the increasing expansion of cyberspace in the country.
The exponential expansion in the global cyberspace has raised pertinent questions about its security. The success of the global Internet system can be chiefly attributed to its relative openness and low entry barriers. However, these very same factors are also partly responsible for the grave threats to the cyberspace in the form of cyber espionage, cyber warfare, cyber terrorism and cyber crime.1
As nations spend heavily on creating the necessary ICT infrastructure to bring more citizens online to derive benefits from social and economic development opportunities that the Internet provides, cyberspace is expected to face greater threats in the future. Cyber security has consequently acquired much greater importance today than in the recent past. Several incidents of cyber crime across the world have led to heightened awareness about ensuring cyber security.
Some of the central questions that this article hopes to address are: What are the opportunities and challenges that this scenario is likely to throw up domestically and globally? How can countries like India address the challenges and benefit from the opportunities in the domestic and the global cyber security market?
To appreciate the opportunities and challenges in the global cyber security market, it is necessary to understand its size and nature in all its ramifications. According to the latest estimates, the number of Internet users in the world has risen to over 2.7 billion in 2013 corresponding to nearly 40% of the world’s population.2 The active mobile broadband subscriptions stood at 2.1 billion in 2013. Globally, 750 million households, comprising 41% of the total, are connected to the Internet. The expansion of the Internet is projected to be on an unprecedented scale in the future with the advent of the Internet of Things (IoT) and the IPv6 protocol that would make possible virtually unlimited IP addresses.
Similarly, the expansion of the Internet is taking place at an exponential rate in India as well. The total percentage of individuals using the Internet in India has grown from a mere 3.95% in 2007 to 12.58% in 2012.3 The total number of Internet users in the country is estimated at 164.8 million as on 31 March 2013.4 Out of these, 143.2 million users accessed the Internet through mobile devices.
As noted before, by its very nature, the global cyberspace is borderless and cannot be isolated to national or regional boundaries. One of the fundamental concerns on cyber security arise from the fact that the core Internet protocols are insecure and the expansion of Internet is taking place on the same insecure systems. The global explosion in mobile based Internet usage is increasing the vulnerability of the cyberspace. As the Internet has become central to the social, economic and political life of citizens and nations, countries are investing heavily in establishing information and communications technology (ICT) infrastructure to bring more and more citizens online. Thus, protection of the critical ICT infrastructure has emerged as another major challenge, in addition to securing the communications and transactions conducted over the Internet.
The vulnerability of the cyberspace is already being exploited by both state and non-state actors.5 The attacks in cyberspace can be mounted by potential adversaries intending to inflict damage on social, economic or commercial interests. They can also be targeted at achieving political or military objectives. They are often aimed at weakening or crippling the critical ICT infrastructure of the adversary to cause denial of access to information and networks or to render them non-functional. In 2007, there were massive cyber attacks on Estonia aimed at disabling the websites of government ministries, political parties, newspapers, banks, and companies. The attackers, suspected to be from a major country with involvement of state actors, employed sophisticated cyber warfare techniques to disable Estonia’s critical ICT networks and e-government infrastructure.6
The nature of cyberspace makes it difficult to identify the perpetrators of these attacks and an attractive pro-position for enemies who do not want to be engaged in conventional conflicts. There is no contact or physical action across the border and the attacking party can completely deny any involvement. The attacked party may not even be sure as to when and how to react. Both the state and non-state actors have developed capabilities to engage in cyber attacks for prolonged periods without being identified.
There are some additional features of critical ICT infrastructure and cyber-space that merit discussion here. Cyber infrastructure is largely owned and operated by the private sector. However, ensuring cyber security involves a multi-agency and multi-layered effort involving both state and private agencies. This poses a significant organizational and coordination challenge.
At an organizational level, cyber security is not merely a technological issue, but a management one as well. This encompasses enterprise risk management and involves human, process reengineering, change management, legal, network and security aspects. While the private agencies are responsible for securing their individual pieces of infrastructure, the seamless flow and exchange of information and interlinkages amongst the networks makes it essential to coordinate the entire effort through an integrated command and control entity that is accountable for cyber security. The roles and responsibilities of all the parties need to be clearly specified.
There is a need for governments to establish appropriate policy mechanisms and legal structures. While security investments made by private industry takes care of their individual corporate needs, they might fall short of the requirements to secure a national network-wide infrastructure. Thus, a pure market based approach to ensure cyber security may not work. A key challenge in this regard is to provide for the additional investments that might be required to secure the cyberspace and critical ICT infrastructure for the country. This might come from incentives provided to the industry to generate collective action in a well planned approach to secure the critical ICT infrastructure.
A lack of capacity at the executive and policy making levels within organizations is another major challenge in ensuring cyber security. There is a need for a focused approach to build capacities to deal with security incidents, deploy latest technological solutions, provide adequate training to all the relevant levels of employees and deal with process transformation and change management required to achieve this goal.
Before we discuss the opportunities and challenges for India in the global cyber security market, it is relevant to discuss the cyber security scenario and the emerging opportunities and challenges within the country and how the government and industry can meet them and benefit from the opportunities. As India develops its ICT infrastructure in an effort to bring more of its citizens online through projects such as the National Optical Fibre Network (NOFN) and makes greater efforts to provide public services electronically through its e-governance projects, the risks for cyber security in the country are going to be much higher in future. It would also make the entire ICT infrastructure and cyber assets in the country far more vulnerable to cyber attacks from both state and non-state actors from countries inimical to India. Are we geared to meet these challenges?
The government has recently taken several steps to ensure greater focus on these issues within the country. It has recently notified the National Cyber Security Policy 20137 with the goal of addressing the cyber security domain comprehensively from a national perspective. The main goal of the policy is to make the cyberspace secure and resilient for citizens, businesses, and the government. The policy envisages the establishment of national and sectoral mechanisms to ensure cyber security through the creation of a National Critical Information Infrastructure Protection Centre (NCIIPC). Computer Emergency Response Team (CERT-In) shall act as the nodal agency for coordination of all cyber security and crisis management efforts. It will also act as the nodal organization for coordination and operationalization of sectoral CERTs in specific domains in the country.
Though efforts are being made to create an effective policy framework to deal with cyber security in the country, there are areas where significant challenges lie. I would like to mention e-governance as a specific case in point. The country has put in place a separate core ICT infrastructure for e-governance consisting of state-wide area networks (SWANs) and state data centres (SDCs) in each state and union territory. Common Service Centres (CSCs), run by private village level entrepreneurs (VLEs), act as the front end for delivery of these services in rural areas. Currently, over 100,000 CSCs are operational across the country. Recently, mobile governance has been implemented to bring all government services on the mobile platform. The National e-Governance Plan is the flagship programme in e-governance consisting of 31 Mission Mode Projects (MMPs) spanning across a large number of government ministries and departments both at the national and state levels. During the last seven years of its implementation, NeGP has achieved considerable success with 23 out of the 31 projects delivering services electronically to the citizens and businesses.
Though NeGP has been a success, ensuring cyber security remains a big challenge as it involves protecting critical ICT infrastructure such as SWANs, SDCs and the applications of various departments running on them. Though scheme specific guidelines have been issued and several states have made significant efforts to protect their cyber assets, there is a need for a comprehensive policy on cyber security in e-governance and ensuring uniformity in its implementation across the country. Application level security is another important domain where greater effort is required.
The scenario discussed above presents big opportunities for the government and industry to address cyber security comprehensively. As the government moves forward to put a policy framework in place, the IT industry can develop appropriate technological solutions to address the cyber security requirements of the core ICT infrastructure and applications. Massive opportunities for the industry are also opening up in sectors such as defence and telecom where the need for cyber security is more critical.
Protecting the cyberspace and critical ICT infrastructure has emerged as a major challenge globally due to the factors discussed above. The Internet has emerged as the central feature affecting the lives of billions globally through e-commerce, banking, travel, e-government, email, etc. With the emergence of smart technologies, a host of utility services such as water supply networks, electricity distribution, among others, are critically dependent on ICT networks. Electronic systems and communications play a key role in the operation of equipment in the defence sector.
What are the opportunities and challenges that such a situation presents to nations like India? To analyse these aspects, it is important to understand the key trends in emerging technologies and how they impact the security scenario in cyber space. In the following paragraphs, I discuss seven such key trends and explain how they present challenges and opportunities for the Indian industry globally.
The most important phenomenon that is driving the expansion in the usage of Internet worldwide is mobility. The advent of mobile devices has brought an unprecedented number of users online, and has consequently increased the risks associated with cyberspace as many of the mobile and tablet users may be first time users of Internet and may not be skilled enough to understand the risks. An expansion in the usage of smartphones and tablets has also brought into focus the security of the operating systems and applications that run on them. As the usage expands, so will the attempts by hackers to break into these devices and steal sensitive personal and corporate information. While this poses challenges for the device manufacturers and OS developers, it presents great opportunities for Indian firms working in the mobility domain. As India is known for its prowess in software development, developing security solutions and secure applications for the mobile world is an unprecedented opportunity globally that is just waiting to be grabbed.
The second important technology trend that is driving the ICT industry is the emergence of the cloud platform. While this phenomenon emerged a few years ago, it is only now maturing and cloud based solutions are being deployed across a number of domains in business, industry and government. Ensuring proper security of applications and data on the cloud is a major challenge and its entire implications are still not clear. Even a few cloud failures can result in massive breaches in security and devastating loss of data for the users. As the cloud encompasses the entire gamut of infrastructure, platform, and software as services, developing security solutions for this platform presents the Indian industry with an outstanding opportunity globally. A related segment which also presents great opportunities is data centre operations and management. Another related phenomenon is the emergence of security as a service on the cloud. This is another space that offers good opportunities for Indian firms.
The third important trend that has recently emerged is the use of multi-factor authentication to improve security. Just a simple password is not enough to ensure access to a host of applications and services in areas such as banking, insurance, financial transactions and government services. In India, an Aadhaar based biometric authentication has emerged as a new mechanism to authenticate the identity of users. This presents an excellent opportunity for Indian industry to develop applications in this domain and address security concerns.
The fourth trend impacting on cyber security globally is the continuous morphing of hacker groups and individuals to maintain their anonymity. This poses serious challenges for organizations and government agencies trying to secure cyberspace as the attacks cannot be attributed to any specific entity. However, this situation also presents opportunities to continuously evolve technologies that can help in unmasking the identity of these anonymous attackers. Active cooperation amongst government agencies and organizations internationally is required to achieve the desired objectives in this area. Agencies such as the United Nations are active and the issue of global cyber security is likely to come up at the 68th session of the UN General Assembly in September 2013.8
The fifth trend that is impacting the cyber security scenario is the increasing involvement of state actors in cyber war aimed at crippling the information and communication infrastructure of their targeted countries and crippling their social, economic, government and military activities. There is enough evidence of involvement of state actors in several recent incidents of cyber attacks.9 Stuxnet is a case in point.10 It presents a serious challenge for countries like India, surrounded by several inimical neighbours. However, this also presents the country with a big opportunity to develop solutions to secure its ICT infrastructure and cyber assets.
The sixth emerging trend is the related issue of ensuring privacy and confidentiality of information pertaining to individuals and businesses. One of the motivations for cyber attacks is to gain access to or steal information that has commercial value or that helps the attackers to commit fraud with that information. To protect privacy, effective laws and regulations need to be put in place to ensure what data can be used and shared and for what purpose. It also has a bearing on where the data can be stored in servers. This is already a major concern in some domains such as healthcare, where privacy and security concerns about hosting and sharing health data are significant. As India is the world leader in IT services outsourcing business, it offers a big opportunity for the Indian government to put in place effective policies to assure the international community that the country respects the concerns on privacy and confidentiality of data. Indian industry should exploit this opportunity to get a bigger share of the worldwide market in IT and IT enabled services.
Lastly, there is a greater effort being made internationally at the multilateral level to address global concerns on cyber security. Recently, the international Group of Governmental Experts, representing 15 countries including India, has submitted a report to the United Nations secretary general on enhancing cyber security globally. International cooperation in cyber security presents great opportunities for India to spearhead and lead the efforts to build a global consensus around the approaches to address the issues. It would also open up tremendous opportunities for Indian industry to develop and showcase its capabilities to offer technical solutions to deal with the threats.
* The views of the author are personal.
1. Institute for Defence Studies and Analyses (IDSA), India’s Cyber Security Challenge. IDSA Task Force Report. March 2012. Accessed 9 August from: http://idsa.in/ system/files/book_indiacybersecurity.pdf
2. International Telecommunications Union, The World in 2013. ICT Facts and Figures. Accessed 18 September 2013 from: http://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2013.pdf
3. International Telecommunications Union, Statistics. Time Series by Country. Percentage of Individuals Using the Internet. Accessed 18 September 2013 from: http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
4. Telecom Regulatory Authority of India (TRAI), The Indian Telecom Services Performance Indicators, January-March 2013. Accessed 25 August from: http://www.trai. gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf
5. W. Marmon, ‘Main Cyber Threats Now Coming From Governments as "State Actors",’ European Affairs, November 2011. Accessed 15 September 2013 from:http://www.europeaninstitute.org/EA-November-2011/main-cyber-threats-now-coming-from-governments-as-state-actors.html
6. I. Traynor, ‘Russia Accused of Unleashing Cyber War to Disable Estonia’, The Guardian, 17 May 2007. Accessed 17 September from: http://www.theguardian.com/world/2007/may/17/topstories3.russia
7. Department of Electronics and Information Technology (DeitY), National Cyber Security Policy. Accessed 25 August 2013 from: http://deity.gov.in/sites/upload_files/dit/files/National%20Cyber%20Security%20 Policy%20%281%29.pdf
8. United Nations, Developments in the Field of Information and Telecommunications in the Context of International Security. 2013. Accessed 16 September 2013 from: http://www.un.org/disarmament/topics/informationsecurity/
9. W. Marmon, op cit.
10. J. Vijayan, ‘Government Role in Stuxnet Could Increase Attacks Against US Firms’, Computerworld, June 2012. Accessed 19 September 2013 from: http://www.computer world.com/s/article/9227696/Government_ role_in_ Stuxnet_could_increase_attacks_ against_U.S._ firms?pageNumber=1