Any public or private agency that collects data from the public should be accountable, says Rama Vedashree, CEO of Data Security Council of India, India’s top industry body and policy think tank on cybersecurity. Excerpts from an exclusive interview:
Q/ What kind of cyberthreats are industries and critical infrastructure facing?
A/ If we scan the cybersecurity threat landscape in the last 18-24 months, there is a rise in targeted phishing campaigns. There are accentuated supply chain risks. When you look at the digital ecosystem, it is a very broad ecosystem of suppliers provisioning digital platforms, which makes them vulnerable to threats. The biggest challenge is ransomware attacks, which are carried out by well-organised cybercrime groups. There are also advanced persistent threats and attacks on critical information infrastructure like oil and gas, power, and banking sectors that can have a cascading impact.
Q/ What are the priority areas for DSCI?
A/ As an industry body, DSCI works in several areas to promote cybersecurity and privacy and enhance the cyber posture of the country. Expanding the cybersecurity industry—both services, and products—to support customers in India and worldwide, to mitigate cyber risks is one key priority area. Since our IT industry serves global customers across almost 90 plus countries, we want to ensure India is perceived as a safe destination for offshoring, outsourcing, and setting up global capability centres.
We have a platform for threat intelligence and whenever any major breach happens globally or any new ransomware attack takes place, we immediately engage with industry experts, research firms and issue threat intelligence advisories.
We have been one of the biggest advocates for a strong data protection regime in the country. We are running a state-of-the-art Centre for Cybercrime Investigation Training and Research (CCITR) in Bengaluru, which is funded by Infosys Foundation. It takes care of the skill-building of law enforcement officers across states and has very advanced forensic training programs. We are also regularly hosting advanced forensics training programmes for defence and paramilitary forces.
Promoting cybersecurity start-ups, building a culture of innovation and entrepreneurship, advancing women in cybersecurity, and overall awareness around security and privacy are other priority areas of DSCI.
Q/ There are concerns that the Personal Data Protection Bill does not have the teeth to enforce the provisions.
A/ The joint parliamentary committee (JPC) has been doing a lot of consultations and I am assuming that they are factoring in the industry and other stakeholder feedback. DSCI and NASSCOM [The National Association of Software and Service Companies] have also given feedback to the JPC and ministry of electronics and IT.
The accountability of public agencies, along with the private sector and global tech firms, needs attention to guarantee privacy as a fundamental right. The bill has provisions against any agency collecting personal data, whether it is a start-up or a big global tech firm; a bank or a telecom company, a public sector agency, or a state government collecting data of millions of citizens in their eGovernance platform.
We are hoping the broader industry feedback is acted upon and we have a robust enforcement mechanism with an autonomous, and empowered authority with adequate budgets.
- Inside story of cyber attacks on India’s banks, airlines, railways… and the fightback
- Cyber crime: There is not a single institution where the buck stops
- Chinese hackers threaten India's critical infrastructure: CEO, Recorded Future
- We regularly warn of impending threats, says Sanjay Bahl, DG, CERT-In
- Cybercriminals will exploit reliance on mobile devices
Q/ Both government and private sectors show reluctance in reporting cybersecurity breaches. Is that a challenge?
A/ The role of the regulators is important here, as we have seen that banks started reporting incidents once there is a regulatory mandate. If the breach notification is incentivised, there are more instances of reporting. But we must understand that the nature of cyberattacks now is such that it takes time to detect, analyse and investigate them.
Q/ How are you engaging with state governments?
A/ We are engaging with law enforcement agencies in most states under our cybercrime training and research programmes. They have benefited from our forensics training programmes. We have engaged with many states in drafting progressive cybersecurity policies. Recently, we have given comprehensive inputs to the Gujarat government, which is coming up with a cybersecurity policy.
We have also partnered with the government of Telangana and established a cybersecurity centre of excellence [there].