Conference on Cyber Security
Confederation of Indian Industry Southern Region (CII)
held a one day conference on Cyber Security at Hotel Accord Metropolitan,
Chennai on 24th April 2010. This is a brief report (from Naavi as a
speaker/delegate) on the proceedings of the conference. P.S: This is not an
official report of CII and contains only the personal observations of Naavi.
CII is a key industry association which represents a wide
section of the industry both from the IT and non IT segment. CII-South is
currently headed by Sri Kris Gopalakrishna, CEO, Infosys, as Chairman. CII
South has created an Internal Security Task Force of which Sri R Srikumar,
former DGP of Karnataka is the Chairman. Gp Capt L V Mohandas is the
head-Internal Security and IT (South). The task force organized an event in
Chennai on 24th April 2010 in which several representatives from the industry
and Government participated and deliberated on issues concerning Cyber
Security.
A Copy of the entire
programme can be found here. A copy of the
profile of the speakers can be
found here.
During the inaugural session Sri R Srikumar the Chairman of
the task force introduced the theme of the conference and highlighted that
Article 51A of the Indian Constitution mandated certain duties on the Citizens
on actions required to be taken in the interest of the security of the nation.
He called upon the industries to also undertake appropriate security
initiatives as a part of their CSR initiatives.
Mr T. Rajendran, Commissioner of Police Chennai highlighted
the nature of Cyber Crimes and the difficulties for the Police in tracing out
crimes which are borderless and technologically complex. Mr N Lakshminarayan,
Vice Chairman, Cognizant in his keynote address recalled many Cyber Security
incidents and how Companies need to address the training needs of employees as
a key element of risk mitigation efforts.
Mr P W C Davidar, the IT Secretary of Tamil Nadu who has
been in the national news recently after his path breaking judgment in the
case of a Phishing Complaint against ICICI Bank in which he held the Bank
negligent under Section 85 of ITA 2008 and liable to pay compensation to the
Phishing Victim, (Copy of the Judgement
available here) urged the intermediaries including Banks not to rely on
"Fine Print Disclaimers" and hard sell technology intensive services to
customers who donot undersstand the risks. He said that private sector Banks
with their aggressive marketing strategies are adopting such hard sell
strategies while Government Banks are more circumspect. He also indicated that
TN will shortly announce a State Information Security Policy that may guide
e-Governance projects in the State.
In the first technical session that followed,
representatives of RBI, SBI and Vysya Bank presented their perspective on
Cyber Security issues. While they admitted the risks such as "Phishing", they
defended the current security practices such as the two factor authentication
and held that customers need to be more vigilant. Mr C V G Prasad, of ING
Vysya also felt that the software companies need to build security as a part
of their solutions supplied to Bankers. The group however did not recognize or
debate the recent judgment of Davdiar on Bank's liability for Phishing. It was
not clear if the lack of debate on this judgement was due a desire to avoid an
embarrassment to the Banking system, or that the group had not recognized the
implication of the judgment on Bankers.
The second technical session which followed, focused on the
subject of "Cyber Forensics". Experts from the industry highlighted the nature
of Cyber Forensics and steps to be taken by companies to prevent data breach
incidents.
In the post lunch session on "Policies and Laws", Naavi
highlighted the impact of ITA 2008 on Corporate Governance requirements under
Clause 49 of SEBI listing. He highlighted that compliance of Clause 49
included a CEO certification that "All regulatory requirements are complied
with" and indicated that many companies might have completely ignored the
requirements of compliance under ITA 2008 which came in to effect on October
27, 2009.(Copy of presentation
available here). He urged the Companies to undertake a suitable ITA 2008
compliance audit to assess the risks and then take appropriate action to
mitigate them
In the next two sessions, experts in Cyber Terrorism and
Cyber Warfare explained the concept with several interesting examples and
highlighted the risks. The experts highlighted the risks arising out of
Chinese polices and how China has been pursuing a highly effective policy to
build cyber warfare capabilities. They urged that suitable action needs to be
taken in India to counter such risks. Experts also highlighted how USA and
other countries have created a "Cyber Command" and accorded priority for
securing their country against Cyber attacks. Defense in Depth as well as
requirement of an Offensive action were discussed. (P.S: The presentations of
the speakers would be made available shortly by CII and when available the
links would be posted here)
The conference concluded with Capt Mohan Das assuring that
CII would present a recommendation to the Government based on the
deliberations held in the conference.
Naavi
April 25, 2010
Related Article:
Land Mark Judgment in Phishing Case
An Open Letter to IBA Chairman
Copy of Naavi's presentation
Indian National Cyber
Security challenges
Issue of Cyber
Laws For CxOs on Cyber Crimes
Comments are Welcome at
naavi@vsnl.com
