The Hindu Business Line : Sleeping through cyber-crime

Policy initiatives on cyber crime are as yet lethargic because of a general sense that it is nothing more than juvenile hackers out to have fun or impress someone. The reality is far more dangerous, warns RAGHU RAMAN.

There seems to be a general complacency that controls are in place; the situation is far from happy

The Minister for State for Home recently announced the government’s intent to set up a public-private partnership model to address the threats of cyber crime. Such intent is not new in itself. Bodies such as the CII, Nasscom, etc., have long sounded their respective bugles against cyber crime. Given the scale of the problem in this country, most of their efforts have been restricted to the conduct of “awareness weeks” and general pronouncements on the nee d to combat it. In terms of execution there has been little movement.

Most people still equate cyber crime with minor misdemeanours, nerds indulge in attention-grabbing schemes or juveniles stealing small amounts of money. Recently, a celebrated national security observer remarked that the state is behaving like an ostrich with regard to threats faced from Naxalites and other in-country terrorist factions. That is exactly how most of us behave towards cyber crime.

A major part of the problem lies in the picture of the hacker embedded into the popular imagination that in turn defines the public perception of cyber crime. It is an image of teenage kids hunched over computers, breaking into networks, defacing sites and announcing their ‘victory’ over the ‘establishment’. This image is as far removed from reality as perhaps juvenile delinquency is from organised crime.

The scale of e-business…

Increasingly, money is moving from bank vaults into ephemeral bits stored in vast networks. Not just hard cash, but also competitive advantages of companies and the nation, strategic business plans, privacy of citizens, trust of partners, IPR of future products & designs, data of state agencies, and most importantly — the perception of stability and governance — all these elements now reside within a grid.

This grid consists of databases spread across millions of computers, servers, miles of digital highways and wireless networks travelling through ether. These networks cross the walls of offices, banks and financial institutions.

They hold virtually every piece of value about individuals and organisations. They also connect into homes and have the potential to reach gullible adults and children exposing them to scamsters and child-molesters.

…lends itself to crime

This is why — unsurprisingly enough — the focus of organised crime, terrorists, and competitive intelligence agencies is shifting to the cyber world. And there aren’t enough defences in place to deal with the threats of such magnitude. Consider the following scenarios.

Trust, stability and privacy are critical elements for economic solidity. A company’s or individual’s ability to trust another with confidential and private data is the pivot on which all business transactions revolve. Financial institutions, BPOs, R&D establishments and even state organisations such as passport, income-tax, health records, etc., contain sensitive information with great potential for misuse.

Consider the implication of the underworld getting access to the high-net worth-customer database of banks; or rivals getting access to strategic plans or potential employers getting your health history.

What would be the levels of assurances if regulatory banking norms such as KYC could be manipulated or vast sums of money or stock could be siphoned out of accounts — even temporarily — by simply manipulating digits in a database?

The ostrich approach

There seems to be a general complacency that controls are in place, and such things cannot happen. Unfortunately, as many insiders will concur, the situation is far from happy. The reason that you get cold calls from tele-marketers is because someone somewhere has information about you. Information that you thought was protected by controls. But was probably sold off for a few paisa per name.

Let’s notch up the stakes a little higher to look at cyber crime from a more strategic angle. It is the aim of terrorists and hostile states abetting them to create panic, internal disturbances and sensational trauma. The connected world offers an ideal platform to achieve this objective. A scenario where cyber criminals are working to launder monies gained through illicit means such as drug or weapons trafficking, which are then used to fund seditious elements such as terrorists or hostile intelligence agencies is not in the realms of fiction anymore.

These are different classes of criminals working in conjunction to achieve a larger damage. But the ‘good guys’ are still working in fragmented silos.

Meeting the challenge

It is a well-known fact that terrorists have been using the Internet to communicate, extort, intimidate, raise funds and coordinate operations. Hostile states have highly developed capabilities to wage cyber wars. They have the capability to paralyse large parts of communication networks, cause financial meltdown and unrest. The degree of our preparedness in the face of all these potential threats, does leaves much to be desired.

The challenge is to make a concerted beginning. Companies and private citizens need to actively participate in building stronger defences and controls for better security. The state agencies are simply overwhelmed and do not have the bandwidth to cope.

From where we stand, companies must take ownership of turf protection. While state agencies can be called in after the event for investigations and prosecution, prevention is best handled by the companies.

Whether its is banking sector looking to protect their money, pharma companies protecting their research or MNCs protecting their brand — the concept of Information Risk management must move from the cost-centre attitude to a business governance necessity.

Making it happen

There are two major drivers to make this happen. First is the mindshare of boards and oversight committees. Boards must demand Information Risk management be a part of the governance report. While strictures like Clause 49 or SOX (Sarbanes Oxley) have attempted to achieve this, in most instances they remain myopic and limited to superficial levels.

This is indicative from the actual resource allocation towards risk management that still remains at woefully inadequate levels. Also the exercise loses much of its effect if independent agencies are not involved to give unbiased assessments.

The second driver is demand from customers. While the BPO and ITES sectors have felt this pull, and gained from it – consumers must demand similar levels of data protection across all industries. Regulators, consumer protection forums, employees in corporates, and stakeholders in companies must insist on Information Risk management audits conducted at regular intervals by independent agencies.

Of course, cooperation between public – private elements has a major role to play in any synchronised in-depth defence.

This includes efforts by the private players to help increase the knowledge bases and skill sets of the public agencies and faster turn around times and an understanding of business sensitivities by public agencies.

And while such forums hold a promise for developing a joint strategy — it is the creation and execution of the action teams — joint teams between the private and public sectors — that will alone provide the test of corporate and state, InfoSec preparedness.

(The author is the CEO of Mahindra Special Services Group(MSSG), a company providing Enterprise Derisking Solutions to organisations worldwide.)

Related Stories:
Govt setting up panel to deal with cyber crime
Bank customers face phishing
Phishing attacks targeting Indians: F-Secure