• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

R.K. Raghavan

India is right on track when it comes to cyber space security. However, it needs to tell the world that it is a safe country to do business with.

INTERNATIONAL conferences can sometimes be a waste of time. This one was different. A cyber security summit organised recently in Tampa (Florida) by the Department of Information Systems and Decision Sciences of the University of South Florida, in collaboration with the FBI and Raymond James, a well-known financial firm, it was a revelation of sorts. An exchange of views on the growing vulnerabilities of cyber space took place. India's image of a reliable partner for the outsourcing of services from the US is no doubt well-grounded. This is, however, somewhat clouded by some misgivings about the security of data transferred offshore. This arises from the fact that we do not yet have a data-protection legislation, and everything will necessarily have to turn on the contract between the foreign and Indian partners to a deal. This delay in providing legal cover to lawfully-shared information comes in handy to the small but formidable anti-outsourcing lobby in the US.

I found the job cut out for me to explain how major Indian IT companies have been extremely sensitive to meeting the foreign client's expectations on this front. I had an attentive audience when I described the upgraded arrangements to restrict access to networks and facilities from where offshore systems function. Forums such as this summit are no doubt good to spread the message that India is a safe country to do business with. There is no room, however, for complacence. Indian businesses, especially IT companies, will have to raise the pitch of their voice, if only to dilute the protectionist lobby in the US.

The Florida summit also threw up ideas on how to deal with identity theft. According to FBI speakers at the summit, this growing menace caused havoc to financial establishments the world over. Interestingly, the mischief is traceable often to East European predators to whom `phishing' is a favourite and profitable pastime. Here, the offender manages to duplicate the Web site of the targeted firm (such as a leading bank) and manages to elicit personal information like the User ID and password from a number of customers. Data so extracted is used to transfer large sums of money to beneficiaries associated with the criminal group masterminding the exercise.

To my knowledge, victims include famous banks on both sides of the Atlantic. (According to the latest report of the US Federal Trade Commission, there were 247,000 complaints of ID theft during 2004 and the loss to consumers from fraud and ID theft was more than $500 million.) The FBI and the UK's Hi-tech Crime Unit (HTCU) have been battling this for several years with modest success.

The conference was told that new software has been developed to fight `phishing'. What it does is to blink yellow whenever a bogus site appears on your screen asking for what is intensely private data. I am yet to see this, but the concept is interesting, if it works well. www.privacy.net is a Web site that gives useful information on how to protect oneself against ID theft.

The FBI official also referred to the increasing vulnerability of banks themselves (and not merely their customers) that provide online transactions. There was an instance last year of a Trojan let loose on an American bank that managed to transfer $20,000 each day for three successive days.

What is most significant is that few establishments are enthusiastic about reporting such intrusions. This apparent indifference is dictated by unreasonable apprehensions about permitting inspection of systems by external agencies and the fear of impairing customer confidence. Losses are, therefore, covered up. The same attitude prevails even among non-financial firms who just do not want to admit victimisation. This is more an ego problem fuelled sometimes also by an assessment that the time spent on assisting investigating agencies is better utilised for concentrating on day-to-day operations!

Ingenious identity thefts can be combated only through customer education. The stress should be on enhancing customer sensitivity to security matters. This is more easily said than done. Even experienced IT professionals slip up committing the most fundamental of errors that compromise their own network.

Cyber security has become hackneyed with so many of us talking about it all the time with the accent on promoting technology. This is good as far as it goes. Devices such as Intrusion Detection Systems (IDS) and firewalls are no doubt useful. However, they have their own limitations. There is no way we can eliminate cyber attacks. What we can do is to reduce their frequency and intensity, through imaginative planning and employee/customer training. Investigative agencies like the FBI and CBI can provide a lending hand.

The author is a former Director of the Central Bureau of Investigation and is Adviser (Security) at TCS, Mumbai.

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Did I hear right?

Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line