Public
Private Partnership for Effective Cyber Security
By
Naavi
Securing
any confined space involves securing the entry and exit points besides
monitoring the security developments within. Cyber Space being a space
without geographic boundaries, entry and exit points are present in every
computer or mobile which can connect to the Internet or a sub network in
the internet space. The internet space at any point of time is also so
huge, so dispersed and so diverse that monitoring the malicious activities
within communities inside this space is also a gigantic task.
Since every computer is a
potential gateway to a malicious intruder, security of the internet space
cannot be fully achieved without securing every individual computer.
Similarly, every network whether it belongs to government or private sector
is a potential community which needs to be secured. Since a malicious code
can enter a home computer or a school computer and then spread to other
networks, it is easy for us to appreciate that Cyber Security requires a
collaborative effort from all computer owners so that no weak link is left
in the chain.
The difficulty however is
“How to bring about the collaborative cyber security effort” between such
disparate user segment elements such as the Mischievous Children, the
ignorant common man, the professional, the corporate, the Government etc.
Similarly the law enforcement segment itself is another complex set up with
police units of different States, the CBI, the RAW, the Intelligence units,
defense etc.
We can basically divide
these stake into two categories namely the Public institutions and the
Private Institutions (and individuals). Public institutions in this context
include the Government and Law enforcement agencies for which “Security” is
an accepted responsibility of Governance. Private institutions and
individuals however are concerned about their own security but not much
about the security of the community. Some times they will be too selfish
and try to protect themselves at the cost of others.
It is therefore a challenge
to bring about a collaborative relationship between the public and the
private sector to achieve security objectives.
A finer point in such
collaboration is “Building Sustainability” in the relationships. Some times
in a euphoric state after a major catastrophe such as the 26/11 Mumbai
attack, there is a surge of enthusiasm to cooperate. But this will fade off
over time and the society tends to get back to its old insecure ways of
working. Hence building sustainability is more difficult than getting off
with ambitious projects.
We shall therefore focus on
only this aspect of how to build “Sustainability in Public Private
Partnerships”.
The first principle of
building a sustainable Public Private Partnership is to identify the
stakeholders for a given project and making them part of the project. In
any public service project, the beneficiary should be made a stakeholder.
He should be responsible for the success and should benefit from the
success. Similarly, the NGOs which have their own motivation to serve
should be enrolled wherever possible into a project as a partner. Thus the
traditional Public-Private Partnership should be extended to include
Beneficiaries and NGOs. Thus we are talking of PPBN projects instead of PP
partnerships.
The accommodation of the
beneficiaries and NGOs into the scheme of a project is a very complex issue
since all the four suggested partners of the project will have different
motivations and each such motivation has to be respected and nursed without
being dysfunctional. This is the biggest management challenge of such a
project.
If we need to build
sustainability into such projects, managing such complex relationships is
inevitable.
In the Indian Cyber
Security field itself, we can look back on some of the projects and study
how such partnerships could improve the success of the project.
- Mandatory Digital
Signature use:
The
GOI introduced the system of digital signatures as a means of
authentication of electronic documents through the ITA 2000. First
infrastructure became available some time in 2001. But until the GOI made
use of digital signature mandatory in certain aspects, the usage never took
off. By such “Mandate”, the GOI participated in the project without any
financial involvement of its own. The private sector consisting of the
licensed Certifying Authorities maintained the infrastructure on a
commercial basis.
However
the project did not involve the beneficiaries and NGOs in right measure.
Hence the education of the beneficiaries was inadequate and the usage was
in many cases not in accordance with law. Had there been involvement of
NGOs through training and Beneficiaries through some form of
incentivization of the proper use we would not have seen the large-scale
application of digital signatures by proxy holders (Secretaries on behalf
of Directors of Companies, Chartered Accountants on behalf of their clients
etc) of private keys in total disregard to the legal consequences.
- Amendments to ITA
2000:
Many of
the amendments to ITA 2000 are oriented towards better national cyber
security. But they are also a nightmare for Privacy watchers who will be
concerned with the abuse and misuse of powers.
Many of
the provisions require the cooperation of the private sector both the
Intermediaries such as Cyber Cafes, ISPs, MSPs, and also the other IT and
Non IT companies.
If the
compliance of the ITA 2000 objectives has to be ensured as a part of the
National Cyber Security Project, there is a need to build a sustainable
partnership with the stakeholders which include Private Sector, Privacy
protectionists etc.
At this
point of time such an approach is not visible and if not corrected, may
affect the compliance. Just as there are Cyber Café regulations in the
country which hardly a few are aware of and comply, provisions of data
retention, traffic information, security breach information etc in ITA 2008
will also be a regulation on paper which only a few ill comply.
- Cyber Crime
Insurance
Another
area of Cyber Security regulation in India which is suffering for want of
proper collaboration is the area of Cyber Crime prevention. In particular
any cyber crime resulting in a financial loss to the victim ends up as a
dispute between the victim and a service provider. This private sector
dispute resulting in conflicts and slowing down growth needs to be resolved
with the stepping in of the Government with appropriate regulations,
incentives and disincentives.
One such
incentive would be in the form of catalyzing the introduction of Cyber
crime insurance. This would be a private sector commercial business but
needs to be kicked off with some regulatory push for which the Government
is responsible.
For
example, Government may mandate all Banks to introduce digital signatures
for high value transactions and customer communication to reduce the
incidence of Phishing. Simultaneously, banks should be encouraged to take
insurance against Phishing Just as they take Fraud insurance in other
cases. NGOs will have a role in evangelizing use of better security
practices by individuals so that Banks are not saddled with too many
liabilities arising out of the negligence of its uninformed customers.
Without
such efforts many of the security prescriptions will take a long long time
to get implemented.
In order to have
sustainability in Public Private partnerships, we therefore need to re
structure the project with the identification and involvement of
beneficiaries and other organizations. Perhaps we need to convert PP
Partnership projects to PPBN partnership projects to make them more
sustainable.
Such an exercise would
definitely be complex and need the best of management strategies to be
applied.
One model project which is
being tried by the undersigned under these principles is the Cyber Vidya
project meant for improving the education delivery in secondary schools in
Karnataka. This project involves the Government, the Schools, the teachers
and the private sector companies along with donors and NGOs to make the
project sustainable.
This project involves “Safe
browsing” for School Children, “Better Management of Computer Resources”
for the School management, “A Cyber Teacher for every School and Every
Subject” for the Government, “ Motivation and Incentives” for the
Teachers, “An Opportunity to Serve Education” for NGOs… different
incentives for each of the stake holders.. all towards making the project
sustainable and successful.
Naavi
October 9, 2009
[Comments
Welcome]
Comments are Welcome at naavi@vsnl.com
