To improve cybersecurity, first shed overconfidence – Crypto News

Cybersecurity is different from other areas such as, say, tourism promotion: mere enthusiasm isn’t sufficient. What’s needed is an effective strategy, policy, regulation, technical standards, enforcement agencies, continuous training, user vigilance, and investment in quality education.

Earlier this year the US government released new thinking around cybersecurity regulation, in which the government would place some security obligations on private companies that provide much of the network and storage infrastructure, and state agencies would proactively seek to deter and disrupt bad actors in cyberspace. The US has also proposed a Cyber Trust Mark, on the lines of star ratings for energy efficiency, that would replace the existing system of self-certification for the expanding array of connected devices. Of course, these trust tags should include their expiry date upfront, because what is secure today may not be tomorrow.

India also has a national cybersecurity strategy in the works. One hopes the draft strategy will be opened up for public comment and improvement.

Cybersecurity is a dynamic field. A cursory survey of the website of the Indian Computer Emergency Response Team (CERT-In) reveals a diverse range of current and potential threats emanating from devices, apps and web spaces, including those used for storage in the cloud. One thing is fairly clear. Apps need to be updated when the operating system changes. This has many implications, one of which is undermining the Competition Commission’s call for a laissez-faire approach in which external forks are tolerated in mobile operating systems, particularly in Google’s Android. Operating systems should ideally retain systemic integrity, and their makers stripped of any excuse for failing to insulate them from bad actors.

India is proud of its digital public infrastructure, and legitimately so. But it is also a source of vulnerability. Estonia, one of the earliest champions of digitising governance, found its state-owned and operated servers being hacked, and switched to Amazon Web Services. India has more robust technological and engineering capabilities, and can afford to host its crucial digital public infrastructure on state-owned or quasi-state-owned and operated servers. The depository accounts in which much of corporate ownership and wealth are stored, the Goods and Services Tax Network, the National Payment Gateway and much else operate in this manner. If these are disrupted by cybercriminals, the Indian economy would be brought to its knees.

The latest data breach reportedly emanated from the Ministry of Health and Family Welfare. All public databases should adopt the gold standard in cybersecurity. Should data be kept in a single centralised database or are decentralised databases more secure? Well, the Ministry of Health and Family Welfare’s database is an example of decentralisation. How many layers of clearance are required to access critical information via multi-factor authentication? What kind of training do authorised personnel require to ensure that personal sloppiness does not compromise data security?

It has been reported that Microsoft has been working with the government of Ukraine to ward off cyber attacks from Russia. Could Russia have similar protection for its networks from Microsoft and other large American tech giants? Could India have this, on a continuous and reliable basis, beyond the vagaries of petty politicking in the US Congress?

India does not need to reinvent the wheel on every matter of cybersecurity. But it must mobilise sufficient expertise as currency in global negotiations to ensure we get a fair deal. That means investing in quality education, from school to doctoral programmes. If every computer engineering student, on graduation, seeks a place in the job market, leaving only the rejects to pursue higher education, how will India develop the expertise it needs? If public-sector salaries cannot compete with private-sector munificence, especially at senior levels, how can we incentivise talented youth to work in key state agencies? How can we equip our investigative agencies with the knowledge and capability to effectively investigate cybercrime?

Adding artificial intelligence to this mix would increase technological complexity, but leave the basic challenges and the policy framework for addressing them more or less unchanged.

Obviously, there are more questions than ready answers in this realm of vital personal and national security. But these must be asked, and concerted efforts made to find viable answers. The first task is to rid the digital ecosystem of overconfidence that everything is under control.