It is reported that NASSCOM and DSCI has set up a Cyber Security Task Force with representatives from industry and academia to identify key priorities and build a detailed action plan. The task force is expected to study the Indian Cyber Security eco system to identify the issues and challenges. The Chairman of NASSCOM states that the efforts will be to “bring together the stakeholders from across the board”.
The initiative is welcome.
However, it has been noticed earlier that the approach of NASSCOM lead by technology specialists often fail to address Cyber Security from the holistic perspective. The end results of most such initiatives lead by business leaders is to identify and pursue business opportunities that arise out of such initiatives and any benefits that the society may achieve becomes incidental. The interest of the end consumers is not always kept in mind by such initiatives.
One example which we can quote here for those who have great faith in such industry lead committees is the attempt made by some Bankers who were part of the G Gopalakrishna Working Group (GGWG) of RBI which was meant to address the Information Security requirements in E Banking, to influence the committee into taking decisions which were anti consumer and violation of the law of the land. It was only the efforts of a vigilante Naavi.org and an understanding Chair Person that the effort was thwarted.
It is therefore anticipated that even this NASSCOM-DSCI Cyber Security Task force runs the risk of such motivated manipulations that needs to be guarded against.
It is necessary for the task force to recognize that “Cyber Security is not achieved only by a set of technology tools such as an Anti Virus package, Firewall or an IDS system but includes the Cyber Law environment and the management of the behaviour of human resources”. In other words it is necessary to recognize that Cyber Security is a three dimensional exercise involving technology, law and behavioural science.
I am confident that the task force will do an adequate work as regards the technical aspects of security. However I am more or less certain that the task force will fail to have a holistic view of the Cyber Security eco system that includes laws that affect technology and behavioural aspects of ICT users.
To be a comprehensive approach the task force report should incorporate the Cyber Law requirements to support the issues such as Cyber War fare, Cyber Terrorism, Organized international Cyber Crime syndicates, Privacy Issues, Anonymity and Pseudonomity, Addiction of Internet users to Social media, Effects of Video Gaming, Pornography, the issues of Social Engineering and the ubiquitous presence of Mobiles.
The attempt of technologists would be to drive technology use without fully covering up the risks. When the technology person himself looks at the security, there is an inherent conflict of interest and the final outcome always leans towards what increases the revenue and profitability. The risks which make consumers lose money are never the focus of such task forces.
I would like to draw the attention of the Chair persons of NASSCOM and DSCI to the above apprehension and take appropriate steps.
Naavi