S E C T I O N
Newsletter
About Newsletter
Editorial
IISSM News
Training Programme
Book Review
Book Reference
Responses
Article
Monthly Summary
Print Newsletter
HomeNewsletterArticle
Volume No. 6,   Issue No. 6,   November 2007

STRENGTHENING CYBER SECURITY
THROUGH PUBLIC – PRIVATE PARTNERSHIP

-BY B. G. GUPTA,
INFORMATION TECHNOLOGY ADVISOR

In India, Business, Commerce and E-Governance has been made Borderless, Time Independent and Person Independent by the Internet. The private sector owns and operates much of the infrastructure that is enabling the economic linkages and it is important for the two sides to enter into a beneficial partnership, therefore close cooperation between Governments and the private sector is vital to protect critical national assets.

In fact a strong private-public partnership is a key initiative against crime in cyberspace that is a "two-way street" in which trust should be built between Government and the Private Sector. Such models have already been successfully created in the United States and elsewhere.

The article discusses the genesis, urgency, modalities, problems and some solutions for the current scenario.

1.0 WHAT IS PUBLIC-PRIVATE PARTNERSHIP

Public-private partnership (PPP) is a system in which a government service or private business venture is funded and operated through a partnership of government and one or more private sector companies. These schemes are sometimes referred to as PPP or P3.

In some types of PPP, the government uses tax revenue to provide capital for investment, with operations run jointly with the private sector or under contract(see contracting out). In other types (notably the Private Finance Initiative), capital investment is made by the private sector on the strength of a contract with government to provide agreed services. Government contributions to a PPP may also be in kind (notably the transfer of existing assets).

Typically, a private sector consortium forms a special company called a "special purpose vehicle" (SPV) to build and maintain the asset. The consortium is usually made up of a building contractor, a maintenance company and a bank lender. It is the SPV that signs the contract with the government and with subcontractors to build the facility and then maintain it. A typical PPP example would be a hospital building financed and constructed by a private developer and then leased to the hospital authority. The private developer then acts as landlord, providing housekeeping and other non medical services while the hospital itself provides medical services.

2.0 PPP IN CYBER SECURITY

When it comes to the security and particularly Cyber Security dependencies Cut Across Virtually Every Industry and Vertical — Not Just IT Industry. Industry built and owns 85%-90% of critical infrastructure:

  • Financial structures
  • Power grids / stations
  • Dams and water supply
  • Ports / rails / airports
  • Pipelines
  • Information Infrastructure



Communication Must Take Place between the following:

  • Government Agency to Government Agency
  • Government to Industry Sectors
  • Industry Sector to Industry Sector
  • First Tier Companies to Second and Third Tier Companies

And for Communication to be Effective:

  • Trust Must Be Established
  • Redundancy Must Be Eliminated
  • Information Sharing Protocols Must Be Clearly Established
  • Nature of Information To Be Disseminated Must Be Defined

Some of the barriers to Effective Communication are:

  • Information Lacks Detail, Timeliness or is Not Actionable
  • Information is Misdirected within Organizations
  • Ability to Protect Sensitive Information Becomes Suspect
  • Community of Trust Breaks Down



3.0 THE CURRENT INDIAN SCENARIO:

  • Growing dependence on computer networks for communications, data management and operation of critical infrastructure.
  • Healthy and secure cyberspace is essential for economic and national security.
  • Information infrastructure and other critical infrastructure that rely on IT such as banking, finance, stock exchange, transportation, and power etc. are increasingly becoming vulnerable to cyber attacks.
  • Threats with motives ranging from criminal groups seeking financial gain to politically motivated groups attacking government websites.
  • Attacks getting more organized and sophisticated.



4.0 CERT-In : Analysis of Defaced Indian websites under .in ccTLD for year 2004

Defacements by year:

On analyzing the defacement statistics along the years, it was observed that though there was a steep decline in defacements after 2001, there was a growth in the number of sites defaced during the past three years. The total no of sites defaced in 2004 was 182 compared to 131 in 2003.

1998 1999 2000 2001 2002 2003 2004
Sites defaced 1 4 75 219 121 131 182
Percentage of total defaced sites 0.14 0.55 10.23 29.88 16.51 17.87 24.83

Fig. 1: .in defacements Year wise

1998 1999 2000 2001 2002 2003 2004
Sites defaced 0 1 7 11 22 43 45
Percentage of total defaced sites 0 0.78 5.43 8.53 17.05 33.33 34.88

Fig. 2: .gov.in defacements Year wise

The group Command Tribulation (said to be Brazilian) defaced the most number of .in ccTLD sites in the year 2004. They were responsible for around 11 % of the total .in ccTLD sites defaced in 2004. The other top defacers were AIC, TimeOut, Fatal Error and HBT. Some of the top hackers in the previous analysis (‘silver lords', ‘GForce', ‘FBH' etc) do not appear in the top hackers list of 2004.

Defacer Number of defacements Percentage of Total .in ccTLD Defacements
Command Tribulation 21 11.54
AIC 18 9.89
TimeOut 17 9.34
Fatal Error 13 7.14
Kernel_Attack 13 7.14
H.B.T 9 4.95
Powhack 8 4.40
DaemonOptik 7 3.85
GhostIRC 4 2.20
Moroccan GanGsters 4 2.20

Fig 3: .in defacements hacker wise

Defacer Number of defacements Percentage of total gov.in defacements
Fatal Error 13 28.89
GhostIRC 4 8.89
DarkBicho 3 6.67
powHacK 3 6.67
H.B.T 2 4.44
HMB 2 4.44
ION 2 4.44
Moroccan GanGsters 2 4.44

Fig 4: .gov.in defacements hacker wise

5.0 THE ASIA IT MINISTER’S 2nd SUMMIT – HYDERABAD 2004.

The Ministers responsible for Information and Communications Technology (ICT) in the Asian Region, met in Hyderabad, India, from January 12 – 13, 2004, for the 2nd Asia IT Ministers’ Summit and after taking cognizance of the various factors recommend the adoption of a concerted plan of action which includes the following components:

1) ENCOURAGE the setting up of Community Information Centers (CICs) on pilot basis in some countries in the region. The Government of India shall be willing to share its experience on the establishment of CICs models in the Northeastern states in India.

2) IDENTIFY feasible mechanisms for sharing bulk bandwidth among Asian countries to reduce the overall cost of setting up international gateways for each nation.

3) PROMOTE Internet exchange nodes to encourage data exchange at national and regional levels.

4) ATTEMPT to integrate voice, data and video services to build a single unified service for economic viability. Towards this end, new protocols like IPV6 can play an important role.

5) PROVIDE useful government information and services to citizens through Internet to promote the use of ICT for development.

6) STUDY the feasibility of establishing a regional Research & Development Center for working on new Internet protocols, management strategies and security issues to help the region leapfrog in Internet infrastructure development through innovative technologies and make them available at an affordable cost.

7) SECURE the information infrastructure in view of the increased vulnerability of Internet-based systems and their impact on critical infrastructure, such as energy, telecommunication and transportation. In order to achieve this, one of the components is to raise the awareness among the Asian countries on the importance of establishment of National –Computer Emergency Response Team (N-CERT) as well as the cooperation among Asian N-CERTs.

6.0 UNION MINISTER OF COMMUNICATIONS AND INFORMATION TECHNOLOGY AT THE SEMINAR ON "CYBER CRIME: TODAY AND TOMORROW" HELD ON 12-07-2006.

Government on their part has taken a number of initiatives. Indian Computer Emergency Response Team (CERT-In) is operational and provide necessary help to prevent security breaches. CERT-In, today, is a member of all international CERTs, namely, APCERT, FIRST and liaison closely with US-CERT and CERT/CC and, therefore, have the reach nationally and internationally in solving problems pertaining to cyber security. CERT-In has been setup to provide instant response to all necessary help in the area of cyber and information technology security to cyber community in India. CERT-In regularly monitors cyber security scenario in the country with focus to protect critical information infrastructure. CERT-In is entering into collaboration with leading IT vendors in the country with a view to take necessary help from them and provide to the cyber community in the country. CERT-In along with the industry is also developing a website to educate the government users to protect their computer systems. This website would be hosted by the end of this month. Further, the critical information infrastructure has been directed to undertake security audit of the IT infrastructure once in a year and also to implement best security practices as per ISO 27001. Along with the industry, CERT-In has planned to train CIOs and the representatives of critical Information Infrastructure to implement best security practices. 1st batch of training is scheduled in 3rd week of August. CERT-In and CCA together have conducted training for Police officials as well as the judges in the area of collecting and analyzing cyber evidences. Centre for Advanced Computing (CDAC), an Autonomous Society of Department of Information Technology, has also developed the forensic tools, which are being used effectively for collecting and liaisoning the digital evidence. The Information Technology Act is being amended to provide legal framework for curtain type of cyber crimes such as,data theft, transmission of images, video voyeurism etc. It is also proposed to appoint an examiner to examine the digital evidence and provide all necessary assistance to the Police authorities as well as courts. Provisions have also been proposed to assure the BPO industry in regard of data protection and breach of confidentiality. BPO industry and service providers would be required to implement the best security practices to prevent leakage of information.

7.0 SOCIETY FOR ELECTRONIC TRANSACTIONS AND SECURITY (SETS) 2005

A composite team from SETS, ECIL and the Bhabha Atomic Research Centre (BARC) for developed this unique system that has multiple civil and governmental applications. In view of many more secure communication systems that are likely to be developed in the future it is essential to strengthen the process of certification and standardization of Information Security products. SETS has to work in this direction.

The design of such a communication system a major milestone has been achieved by SETS working closely with ECIL and after multiple peer reviews by the Director General, National Informatics Centre (NIC) and BARC.

The confidence of both the private sector and academic community in SETS is high of the potential for SETS to contribute in areas like certification and setting of standards with emphasis on Research & Development.

The secure communication system is used for transmission of data and voice over public networks in a highly confidential and secure manner at a speed of 2 Mbps or higher. The system has been designed and developed in-house at SETS in record time. M/s ECIL will shortly integrate this unit into a configuration that is targeted for use in multiple applications including inter-bank transactions, large Electronic Data Exchange applications etc.

SETS is the first Public-Private-Partnership initiative in the area of Information Security Research & Development.

  • SETS is the first Information Security organization in a Public Private Partnership(PPP) Mode.
  • SETS is backed by corporate sector with Government membership playing an enabling role.
  • SETS is the voice of security professionals and experts for Information Security with implications to the national security.
  • SETS is an unbiased national-level society of leading organizations involved in Information Security technologies.
  • SETS is motivated by ethical professionalism of its members.
  • SETS is dedicated to protect the information resources of the country through development of indigenous technologies.

Major Aims and Objectives of SETS

  • To promote the study and awareness of Information Security (INFOSEC).
  • To promote, innovate and develop Information Security products and new applications in the area of Electronic Transactions, with particular reference to Information security, for the domestic market.
  • To take up projects; provide turnkey solutions with in-house resources or with participation of its member organizations.
  • To tender advice to the Government on policy formulation and act as a buffer between sensitive user agencies in the Govt. & Corporate houses for developing security solutions.
  • Provide consultancy services to Governments, banks and other public & private sector institutions to safe-guard the information & knowledge generation resources of the country.
  • To develop standards for hardware and software packages.
  • To become certifying agency in the area of Information Security.
  • To adapt, develop, plan and promote the study and disseminate knowledge in the area of Electronic transactions and Information Security by publishing journals, reports, monographs, books, research papers, manuals, compendia, and pamphlets.
  • To sensitize the marketplace on the need for, and demands for information security (INFOSEC).
  • To sponsor, conduct/organize teaching & training programmes, conferences,seminars, lectures, and similar other activities on subjects of relevance to the society either alone or in partnership with other organizations.
  • To serve as a centre for promoting co-operation and interaction in research activities between academia & industry, and technocrats & users of Electronic transactions in all sectors of the economy.
  • To initiate, establish and participate in collaborative activities with other researchers and institutions / organizations within and outside the country.
  • To maintain close contacts with other institutions having similar or allied objectives.
  • To design, promote, conduct itself and aid other agencies/institutions in conduct of part / full-time professional courses in-house as also on distance learning basis and award certificates, diplomas or accreditations, etc. and prescribe standards of proficiencies for such awards.
  • To institute and award fellowships, scholarships, prizes or medals for meritorious students.

8.0 WHY STRESS ON CLOSE PUBLIC-PRIVATE COOPERATION FOR CYBER SECURITY - THIS IS VITAL TO PROTECT CRITICAL NATIONAL ASSETS.

  • Electronic Crimes Task Force involving bankers, universities, security experts and local police mooted.
  • Information sharing centre, involving agencies in finance and banking, oil and gas, telecom, water supply, suggested.
  • Emphasis on awareness, training of police and clear legal guidelines.

In the era of borderless business and commerce made possible by the Internet,close cooperation between Governments and the private sector is vital to protect critical national assets.

The private sector owns and operates much of the infrastructure that is enabling the economic linkages and it is important for the two sides to enter into a beneficial partnership. It is as a "two-way street" in which trust should be built between Government and the private sector. Such models had been successfully created in the United States.

Businesses were bound to have many concerns when participating in such an exercise, including the potential for negative publicity, data secrecy and the need for unimpeachable processes. They might even consider the choice of simply keeping quiet when attacked by criminals. Co-operating institutions may require law enforcement to issue subpoenas to make information available, rather than do it privately, to ensure an orderly set of processes.

Take the example of Vermont INFRAGARD, a programme sponsored by the Federal Bureau of Investigation to build information security partnerships with the private sector, to explain initiatives that help share information among Government, business and law enforcement, without unwanted exposure to the public.

The Electronic Crimes Task Force co-ordinated by the secret services involving bankers (who may be targeted by criminals), universities (to provide skill levels for solutions), security experts and local police, was another model.

A third example was the Information Sharing and Analysis Centre (ISAC) which involved agencies in areas such as finance and banking, oil and gas, telecom, water supply and sewerage. One of the functions served by such bodies was to talk to the federal government and relay information back to members.

9.0 THE SOLUTION - PPP:

The solution to this problem lies in having a partnership between the government and the private sector as the private sector owns and operate significant portion of the country’s infrastructure and other cyber systems on which the country’s other infrastructure depends. These are as follows:

  • Telecom
  • Internet Gateways
  • Internet Service Providers (ISPs) – the back bone of communication.
  • Infrastructure hardware and software suppliers.

The government alone or the private sector alone can’t protect these national infrastructures.

Essence of Public-Private Partnership

1. Close cooperation between industry and government essential to jointly tackle the issues.
2. A centralized coordinated National Public- Private Partnership initiative is essential.
3. The private sector by tackling cyber & information security concerns will not only enhance their own security, but also help strengthen National Information Infrastructure.

The Action Points

1. Utilize the capabilities of the private sector to achieve security.
2. Develop a mechanism to share information on cyber attacks, vulnerabilities and security practices to better respond to cyber attacks.
3. Ensure information reaching the right people in a timely manner.
4. Enhance awareness & emergency preparedness.
5. Establish Information Sharing and Analysis Centers.
6. The government may actively collaborate and partner with private sector at the national, state and local levels.

10.0 CONCLUSION

In India, Business, Commerce and E-Governance has been made Borderless, Time Independent and Person Independent by the Internet. The private sector owns and operates much of the infrastructure that is enabling the economic linkages and it is important for the two sides to enter into a beneficial partnership, therefore close cooperation between Governments and the private sector is vital to protect critical national assets.

In fact a strong private-public partnership is a key initiative against crime in cyberspace that is a "two-way street" in which trust should be built between Government and the Private Sector. Such models have already been successfully created in the United States and elsewhere.

Go Top