NCIIPC Foundation Day 2017 – Taking stock and looking ahead : Dinesh O Bareja

NCIIPC Foundation Day 2017 – Taking stock and looking ahead : Dinesh O Bareja

The National Critical Information Infrastructure Centre (NCIIPC) was created on Jan 16 2014, under the NTRO,  and celebrated it’s third foundation day with a conference at India Habitat Center in New Delhi. The author had the privilege to attend the event and listen to the leaders of national cyber security.

This blog will be in multiple parts as I see two risks – (1) it may be too long to read, and, (2) a single piece may be too big for me to complete and will become a member of my permanent work-in-progress category. ?

Our comments (if any) will be in italics or blockquotes and will be marked. Errors may be expected in attribution of comments as the writer is not a professional journalist and this is a personal attempt to record an historic occasion with pride.

I remember learning about NCIIPC when it was formed and it was a very happy moment for the thought that the government had finally moved to establish a body to take care of this area. When I got a copy of the CI guidelines, I did a review but that is another story… so lets get back to celebrating the day:

The Chairman, NTRO, Mr.Alok Joshi in his welcome address shared the high level of concern for national security because of the increased cyber security threats. The need for institutions to be constantly upgraded and that cybersecurity is at par of more important than nuclear security (without meaning to diminish the importance of either). He also touched upon the changing meaning of hacking, and that earlier targets were infrastructure but now we are seeing influencing of political process too. We also learned that NTRO/NCIIPC has set up a cybersecurity center with Haryana government.

His talk was followed up by the Deputy NSA, Mr. Arvind Gupta, who reiterated on the concerns and said that cybersecurity is taking center stage in the country and that we are looking at cyber disorder. That many incidents are not reported and that NCIIPC should be legally empowered so it will have teeth and not be viewed as a “mandatory” guidance body.

He shared a number of expectations of high concern and (rightfully) all were in the “high” priority category needing attention asap! Notable are the need for augmentation of CERT-In, establishment of Sectoral CERTs, designation of CISOs in all sectors and they be linked to CERT-IN, operationalization of NC3 should be done asap, strengthening of cyber security R&D (at the very least – in critical areas)

He called upon the inclusion of academia and for participation in cyber security related research and emphasized that, at least, this be taken up in critical areas. Innovation must happen.

IW View: While we wholeheartedly support and laud this statement, we believe that there is a need for government agencies (especially the security and defence establishment) to identify their needs and articulate the same. Our experience is that a lot of academic or research institutions have a paucity of ideas in this domain it will be a challenge to undertake research and development for a practical / workable solution.

There is a PPP working group under the NCSC and several meetings have been held, however more dialog is needed to extract substantive results. He also remarked that while we have great institutions we need to augment them with manpower and in new areas plus the available knowledge has to be revalidated. While we have a lot of good people, we are failing in utilizing them and we are seeing foreign countries take advantage of their skills and knowledge.

IW View: The professional, entrepreneur, innovator or researcher suffers from institutional apathy and eventually leaves the country to share his / her skills and knowledge overseas. It is unfortunate that we then buy the same services / products as “foreign” goods paying top dollar price whereas we would have the advantage of home products had the ecosystem been favorable to retain the entrepreneur / professional. A lot needs to be done and quickly!

Then there is a need to track vulnerabilities which is another challenge as there is a reluctance to accept information sharing. Greater synergy is needed between departments and unless this is brought about protection efforts will not be successful.

IW View: Like ‘awareness’, ‘information sharing or ISAC’ is a widely used term and abused by all. Any amount of nay-saying or abuse cannot dilute the fact that both ‘awareness’ and ‘ISAC’ are absolutely essential for enabling resilient cyber security at national or enterprise level. Unfortunately, unless the ISAC process is formally notified and a common platform (can be provided by NCIIPC) it will be impossible to achieve this objective in the near term. Recent events in the banking sector demonstrate the reluctance of regulatory bodies and their constituents to share information and this leads to creation of systemic risk silos or tsunamis.

Finally, we should also cooperate with international organizations as this helps in sharing best practices as well and NCIIPC has already started dialogs with agencies.

 

IndiaWatch Summary View

The address provided an insight into the ongoing thought process and presented the government point of view on the current challenges and issues on hand in the cybersecurity arena. This was very welcome and provides insight and realization that there is active focus on finding solutions and empowering institutions to address the challenges.

As stated earlier, we agree that the cybersecurity issue needs to be taken very seriously and that has to be done at speed to cover lost ground. If we are to live up to the expectation of digital India the efforts to enable critical infrastructure security has to be increased manifold. Else we will be living on borrowed time with vulnerable infrastructure.

Rightfully said, we have the institutions and the people – and NCIIPC has the vision and mandate – all in all this is the prescription for changing the game and putting the country ahead. .

We would really like to see such events being conducted across the country, not as a PR exercise, but as a means to engage with the security community and to catalyze their interest for effective contribution and participation for national security. This will also serve the purpose of building a greater level of trust through transparency and be a vehicle for getting ideas and suggestions for enhancing ongoing initiatives,

For the security professionals and key government officials from all over the country attending the event it should serve to be the input for their strategic tactical and operational plans. Also there was a lot of sharing about government initiatives to raise the level of protection to enable reasonable level of cybersecurity.

We will work on the next instalment of this blog covering the talks by Mr.Gulshan Ra, NCSC; Mr. Sanjay Behl, DG, CERT-In; Mr. Ajit Bajpai, DG, NCIIPC and the various panel discussions.

Dinesh Bareja

Cyber Security practitioner and evangelist working in national and enterprise security. A recognized speaker and contributor to national policy, awareness and development of capacity / capability. Working in areas covering Critical Infrastructure, Cyber Insurance, and more, with a critical eye on the past, present and future in the infosec domain. Brings visionary practical thought and leads the demolition of purveyors of hype and snake-oil sellers.

Leave a Reply

Your email address will not be published. Required fields are marked *