Quantum computing will disrupt the entire topology as we know today.
Hans Raj Verma, IAS
Additional Chief Secretary, Chairman And Managing Director, Tamilnadu Industrial Investment Corporation Ltd (TIIC)
I stand before you not as a bureaucrat but as a practitioner of cybersecurity. I have been the IT Secretary for Tamil Nadu government. I am a certified National Cybersecurity Scholar (NCSS) from ISAC. Currently I head the Tamil Nadu Industrial Investment Corporation (TIIC), where we are building cyber security as a key foundation of operational strategy. I will speak about strategy and my fellow panelists will speak about the operational details.
We live in a VUCA world. We are facing constant volatility, uncertainty, complexity and ambiguity. The three great risks which we as individuals, society, organizations and nations face are sustainability; cybersecurity and geopolitical risks. Let me discuss about cyber security and cyber resilience for critical infrastructure.
Coming to strategy, let me quote Sun Tzu, the famous Chinese General. He says there’s a clear distinction between strategy and tactics. Tactics is short term and ad hoc while strategy is long term vision. He says, if you have only strategy and no tactics, it’s only a slow route to victory. But if you do not have a strategy and have only tactics, it’s a sure route to defeat. More often than not, as organizations, we resort to tactics for cybersecurity. What we need is strategy. The US Government’s National Cybersecurity document is not called cybersecurity policy. It’s called cyber security strategy. It’s got five pillars and 25 strategic objectives.
The Five Pillars of Cyber Security
The five pillars are: building and protecting cyber resilience for the critical infrastructure; getting the market forces to assist the government agencies in cybersecurity; building a resilient future; forging alliances; and thwarting the state actors or the threats, which threaten the critical infrastructure of a nation. What is of interest to us today is the critical infrastructure. To me, the top five critical infrastructure sectors are energy, telecom, financial systems, healthcare, and manufacturing. Today, security of critical infrastructure is an integral part of national security.
Humans Matter Most
We are all cyber warriors who need to be sensitised and made aware of our respective roles in our collective endeavour of national cyber resilience. Remember, it is humans who will decide whether an individual, society, organisation or nation is resilient on the cyber front.
Pareto’s 80/20 law applies here. While the role of technology is going to be 20%, the human dimension is 80%. Unless we understand the human dimension, we will go wrong. Technology is not the panacea or the silver bullet. Investing only on technology, without factoring in the human dimension is a sure recipe for failure.
Lessons from History
History teaches us a lot of lessons. Various historical incidents have occurred on account of human failures. Let’s start with the Battle of Troy and the famous Trojan horse. Prince Paris eloped with Helen of Troy. The Greeks came to Troy to take her back but they could not breach the fortress of Troy. A very wily General of the Greeks—Odysseus built the Trojan horse and left it as a gift at the gates of Troy. It was the collective failure of the entire Troy that they thought the wooden horse was a gift and took it inside the city of Troy. At night, Odysseus and a team of soldiers came out and conquered Troy. It is a classic example of human failure.
Second is the Great Wall of China. The great Mongol Emperor Genghis Khan mentioned that the wall is a static and it meant nothing to him. ‘It is only as strong as the people manning the wall.’ If we take this analogy, the wall is your technology. But the people manning the wall are the key in securing your fortress or empire.
In 1453, Constantinople was captured by the Ottoman Turks. They tried their best several times to conquer this imperial fortress which is called Istanbul today. They were able to do it only because of someone’s complacency, carelessness or an insider job. They left one of the gates open and Turks entered that. The rest is history. Again, the failure had to do with the human dimension.
Need for Compartmentalisation
We have all heard of the sinking of Titanic. Titanic was said to be an unsinkable ship, yet it sank in its maiden voyage in 1911. There were warnings that icebergs were there. But they locked the binoculars and could not find the key to lookout for icebergs. That was mistake number one. Two, when the iceberg came ahead, had the Titanic hit it head on, nothing would have happened. The mistake they did was they turned the ship and the steep edges of the iceberg cut each of the compartments.
From cybersecurity point, any system must have compartmentalisation. If there is an attack, one compartment can go down and you can recover. The whole system will not go down. Titanic was the biggest tragedy at sea in civil shipping. Again, it was because of human elements.
Our cybersecurity systems should maximize the strength of human beings and at the same time, minimise vulnerabilities. There’s always a chance of a password failure. You need to have checks and balances. Take the example of Barings Bank, the oldest commercial bank of Britain. One single currency trader Nick Leeson in 1995 sank it by doing unauthorised currency trades and he caused a loss of over 800 million British pounds. The bank was eventually sold for one pound.
Recent Cyber Attacks
Let’s move to recent attacks in the history of cybersecurity. The SolarWinds Orion attack is a documented case of cybersecurity breach. SolarWinds used to supply networking tools and software to major companies in the world. By late 2019, they released an update called ‘Sunburst’ which was intruded and deliberately infected by a malicious malware. When the update went to the platforms supplied by SolarWinds in 2020, many critical organizations and multiple government agencies were infected and this was one of the major disasters of cybersecurity.
In 2014, before Russia attacked and annexed Crimea, there was a huge attack on the telecom infrastructure of Ukraine. Before an enemy attacks a nation today, they cripple the critical infrastructure and then move in. The battles to secure the nation’s border are going to be fought both on the physical border of the nation as well as on the cyber frontier.
In 2016, there was a malware called Petya that targeted Microsoft Windows systems. In 2017, a variant of Petya called as NotPetya ransomware, attacked Ukraine’s banking and financial system. Through that, it spread to various organizations and to Maersk Shipping Line as one of their computers got infected. Through that, the entire logistics of Maersk Shipping was impacted. The NotPetya ransomware attack is a documented and deadly attack in the history of cyber-attacks, with losses running to about $10 billion plus.
Cyber-attacks no longer happen on a small scale. The latest attack- the Colonial Pipeline attack in 2021, led to a national emergency declaration by President Joe Biden in the US. Reusing of passwords is one of the very common human fallacies. One of the employees reused the password and as a result, 5000 kilometers of pipeline supplying gasoline for the airplanes and petrol for vehicles were subject to ransomware attack and they had to pay money to get the data back. In all these, we see the human elements. Any system is only as strong as its weakest link and the weakest link is dynamic.
Boards Have a Big Role
Cyber security is not static. It is constantly evolving. It’s a process and not a product. It is no longer a domain of the CTO or the CSO. It is in the domain of the boards now and a mainstream agenda of the boards of companies. They have to set the agenda and set up committees for cybersecurity supervision and ensure that their organisations are resilient. Most incidents of cybersecurity are not reported because of the fear of reputational loss.
Any organization that suffers a cybersecurity hit has got three challenges to face: regulatory risk; financial loss; and loss of reputation. Case studies show that any organization hit by cybersecurity lose business. Today’s cyber resilience for critical infrastructure is as much as warfare and military strategies about the territory gains.
As IT Secretary, I have dealt with the entire gamut of the operational command. In India, we have the NSA—the National Security Adviser. Under him, we have the National Cybersecurity Coordinator. We have the CERT: Computer Emergency Response Team, the regulator that’s supposed to step in first. We have the C-DAC; we have the The National Critical Information Infrastructure Protection Centre (NCIIPC); and we have the SETS: Society for Electronic Transactions and Security. I was on the Governing Council of SETS which is based in Taramani in Chennai. SETS focusses on the next domain of quantum computing and cryptology.
Focus on Energy and Manufacturing Sectors
Some of the visions of the US Policy Studies paper are today relevant for India. First is the energy infrastructure. It says we will secure our clean energy future. Today with green energy coming in a very big way, there is distributed distribution of energy fronts. Our grid frequency has to operate between 49.5 Hertz to 50.5 Hertz. If any cyber attack happens on the grid, our trains will stop and everything will come down. We must have resilient systems in the energy sector.
Second is manufacturing. We talk of Industry 4.0 and 5.0. India is poised to be the hub for advanced manufacturing and a key link in the global supply chains. With the new sensors (IoTs) coming into play, everything is linked to the internet. We have PLCs. In 2010, Siemens PLCs which were operating the centrifuges of Iranian nuclear power reactors went out of control with a virus and entire system collapsed. This was a seminal moment.
Indian manufacturing is part of the global supply chains. We supply auto components and a number of products to the world chain. If the IoT or PLC is compromised for an auto company and say, the paint thickness changes or the dimension of a component changes, imagine the impact it will have on the reputation of our nation and our supply chains. So, securing manufacturing is extremely important as part of critical infrastructure protection.
Need for Quantum Computing
We need to invest in quantum computing. The base of today’s cybersecurity is resilience and cryptology. Quantum computing will disrupt the entire topology as we know today. That is why all the nations are investing very heavily in quantum computing. We need to build a very resilient cyber workforce. Cybersecurity is one domain that will open up opportunities for our youth. We have a huge shortage of skilled cybersecurity professionals. All stakeholders must forge collective partnerships for creating cybersecurity workforce. We need to build partnerships across all verticals, all domains and all experts.
Cybersecurity at Organisational Level
At the organization level, few principles must be adhered to. First, look at the assets that you want to secure. Why do you want to secure them and what is the technology that you’re going to use for securing them? Will it create any further complications? Technology is not the panacea.
Finally, you must have a trade-off. Do not be penny wise and pound foolish in spending on cybersecurity. This is your most critical component for sustainability and success in the future. Spend wisely, with the guidance of your boards.
Once you have the systems in place, organisations must follow some principles. First, you must know the ecosystem. That is where partnerships among stakeholders is extremely important. Often, organisations do not share if they’ve been attacked. Unless you share this information, how will you find solutions and countermeasures? If you know yourself and not the attacker, then for every victory, there’s one loss. And if you don’t know your own self, and the attacker, it is a sure defeat. From that strategy, all your employees must know the attackers.
In the physical warfare, the ratio of attackers to defenders is always 1: 3. For every one defender, there’ll be three attackers. This is a known fact visible to the naked eye. But today we are grossly outnumbered. Some say that today, for every defender of a system, there are 30 attackers. If critical institutions of health care are hacked, sensitive data of leadership will be leaked out. It’s a big national threat. Today, ransomware as a service and criminals as a service have become rampant. We need to be educated. It cannot be business as usual. Every employee has to be sensitised. You need to have depth in defence.
You must have multiple options and do not rely on a single option for cybersecurity defence. You need to have compartmentalisation. If one system comes down, the other systems will be able to be resilient and recover back. You need to understand the psychology of motivation of your employees. You need to practice zero trust of humans or devices. That is extremely important. You must have multi factor authentication. Organizations need to start teaching every employee about cyber security.
They say there are only two kinds of organizations: one who have been hacked, and one who don’t know they’ve been hacked. Everything connected on internet can be hacked. It means all organizations are vulnerable to cyber-attacks. In this VUCA world, cybersecurity is a mandate for all of us. We need to be proactive, not reactive. We need to collectively share knowledge and wisdom and partner with all the key stakeholders. Let’s collectively make India cybersecure.
The least effort is spent on cybersecurity awareness.
Mr R Vittal Raj
Founder Partner, Kumar & Raj Chartered,Accountants
We have always heard about somebody getting hacked. Nowadays, people get a deep fake attack, where a fake looking like your friend appears on WhatsApp video call and asks for money. In the epic Ramayana, the entire story would have stopped had Maricha, the fake golden deer, not come into the picture. Sita wanted that golden deer, which was absolutely attractive. Rama went behind the deer and Lakshman went in search of Rama, while advising Sita to stay safe in her place and not to cross the line drawn by him—the Lakshman Rekha. But Sita crossed it and fell into Ravan’s trap. A single security vulnerability led to the entire Ramayana.
Organizations don’t spend money on cybersecurity. They say, they’ll handle the threat, if it comes. When a colleague or another company gets hacked, we think it won’t happen to us, because we are smart. We think of an antivirus software as worthless expenditure. But when we get hacked, we lose all our money.
The least effort is spent on cybersecurity awareness. You can put up any number of devices but please understand that the devices need to be configured. The consciousness of recognizing a risk becomes an important part of strategy in the organization. Risk assessment and management is one of the key functions in GRC: Governance, Risk, Compliance & Control. For a hacker, one complacent employee is enough. One port which is wrongly configured on your firewall is enough. If we do not invest efforts and money in these processes, then it leads to serious problems. That’s exactly where we see the opportunities today. Our state is one of the most intellectually advanced states. We hold the key to the cybersecurity supply for the world. In the last couple of years, a huge demand has been emerging for cybersecurity professionals. We don’t have people who understand not just technology but the cybercrime scenario. We are going into lot of automation. The GST collections are soaring and UPI sees huge transactions. The pandemic proved that we need not be literate but digital literacy is enough.
We can use AI and ML to find out the anomalies on a daily basis.
Sagar srivastava
Scientist and Joint Director‐ C-DAC Chennai
Q&A
The cyber-attacks and threats nowadays are very sophisticated and have become part of a well-organized structure. The hackers don’t do it haphazardly. They execute well-planned attacks and users are not aware of them.
Usually, we check the system logs, only when the system is down. We must check the logs on a daily basis, so that we can pick up red flags, if any, in time. We must be prepared for attacks, respond properly and recover quickly, if there is an attack. There are many technologies which can detect suspicious activities. We can use blockchain to secure some of our financial transactions. We can use AI and ML to find out the anomalies on a daily basis. Apart from that, the end users have to be sensitized on a large scale. We have regulatory compliances in the financial sector but do we comply 100%? The answer is ‘no.’
What should we do? One, sensitive information should not be accessible to the common citizens. For example, defence sector uses intranet through leased lines. They use internet only for ticket bookings. Two, we must have backup systems. Post-Snowden, it has been clearly revealed that the usage of proprietary systems is not advisable. C-DAC has come up with its own open-source solutions, where you are aware of the vulnerabilities. It was revealed that most of the Cisco Systems, network and routers were passing the information through the border sharing countries. Proprietary systems operate like a black box. We are only concerned and interested that our website should get VAPT (Vulnerability Assessment and Penetration Testing) cleared. But despite being VAPT cleared, you can’t be sure that your system will not be prone to a cyber-attack. We must make a good, resilient system than depending on some third-party auditor to come and tell us about the vulnerabilities.
Q&A
Q: What strategies have been adopted to mitigate cyber risks in TIIC?
Hans Raj Varma: In TIIC, we have a huge quantum of data of our customers like land records, their CIBIL scores, property statements, bank statements, etc. As trustees of these big data, it is incumbent upon us to secure these data. The biggest challenge we’re going to face is ensuring that our IT systems do not fall victim to ransomware attack. We have strategies for securing and controlling the data. Regarding the other big ticket investment projects in Tamil Nadu, the respective institutions, investors and companies have their own respective cybersecurity systems.
Q: What cutting edge technologies would hold promise for enhancing cyber resilience within infrastructure and financial sectors?
Sagar: We use AI and ML to find out the anomalies. You can educate your code through machine learning to find out the anomalies rather than humans checking the logs on a live basis. It is better to have an alert system. C-DAC is a very renowned name for conducting computer-based examination system in the country. The system will give an alert to the Director of the examination center if anomalous or suspicious activity is detected.
Q: How can organizations address the human factor in cyber resilience?
Hans Raj Varma: Tap all the government agencies for training programs. All have got huge resources with them and they want to share them with you. For example, ISAC is going to start their core program in partnership with IIT at Gandhinagar in July. You will come out of the program as a certified National Cybersecurity Scholar.
Q: Are we guiding the banks to improve their cybersecurity resilience?
Vittal Raj: I had the privilege of working with RBI on the study committee on cybersecurity. There are some brilliant minds and very dedicated people who are at the RBI. If we compare the number of attacks with the volume of our economy and the banking system, it is miniscule. We are safe because of the silent work that organizations like RBI do. RBI penalises many of the banks for not putting their security in shape. They are not mincing words.
Q: The Bharat Operating System was supposed to be the competition to Windows? How does C-DAC view this system?
Sagar: Let me clarify that for C-DAC, Windows is a competitor. Our competition is systems similar to Linux based operating system. C-DAC is a nonprofit organization. The Bharat Operating System is available for the normal usage of general public.
Q: What are the cybersecurity training and awareness programs available for stock exchange staff and traders?
Vittal Raj: SEBI has issued very specific circulars on cybersecurity measures for every class of intermediaries. It also requires an audit. Also, NISM, the National Institute of Securities Management is a very important body set up under the auspices of SEBI. NISM completely trains people on various aspects of not just cybersecurity but technology and securities market.
