Needed, A National Information Security Action Plan

DQI Bureau
New Update

An attack by a Chinese team of 2 called Evil Shadow, attacking the Microsoft store in India. At around the same time, many government websites such as those of SEBI, India's stock market regulator, Maharashtra highway police, and All India Radio were hacked. Earlier, Chinese hackers were behind most of these attacks. But increasingly, even those from Pakistan and Bangladesh are managing to succeed in hacking these sites.


It is not that the government departments are not aware of this development. But most of them are trying to take some ad hoc measure for tackling the issue at the departmental level. Clearly, that is not enough and adequate. There needs to be a formal approach of tackling it at the national level. The US, a major target of the Chinese hackers, was the first country to seriously take note of this development. In fact, last year in October, the US Congress invited Arthur W Coviello, Jr, executive chairman, RSA, The Security Division of EMC, to testify before its permanent select committee on intelligence on the nature of cyber security threats. In his testimony, he identified 3 categories of potential actors: Cyber criminals (who want to commercially exploit), non-state actors such as political groups and terrorists who want to attack the government and sensitive websites to send a political message, and nation states. The phenomenon of attacks by nation states have been referred to as cyber warfare. And it is common knowledge that one of the most advanced in this regard is China, with which India has border and other disputes.

Coviello strongly advocated creation of an ecosystem to tackle these cyber adversaries. "Just as our cyber adversaries create their own ecosystems, we must improve information sharing within the industry and with our partners in government, both in the US and abroad," he says in his testimony.

"The more actionable and real-time information sharing that we have, the better chance we have in keeping pace with cyber adversaries rather than simply reacting after they strike," he adds.


When Dataquest asked Coviello about what should be the approach for a state like India, he was unequivocal that the country's information security' should be planned as an essential part of the overall security policy.

"Planning of a country's information security is absolutely important as lives are at stake and should be planned as an overall security policy, not in isolation," he says.

What Should be the Approach?

"It's important to understand the risk, which is a function of vulnerabilities but also the probability that the vulnerability would be exploited and the materiality of consequences of that happening. If there is a vulnerability but the probability is low, you might not spend much money securing that. However you may want to give it a second look if the materiality of the consequences are that lives are at stake. It's all about creating a balance. If you look at it through the prism of vulnerability, probability, and materiality of consequences, then you will be able to deploy your resources in the most effective manner. The strategy should be to protect information from inside out and not from the outside in," he tells Dataquest.

DQ Report