Actionable steps based on Kaspersky’s experiences working with regulators, as well as our understanding of the needs and concerns of private sector clients
By: Heng LEE, Government Affairs and Public Policy Manager, Asia-Pacific and Japan, Kaspersky
The Indian market has been an important one for Kaspersky. India’s large base of end users and the high number of innovative enterprises have made it a prized target for cybercriminals – in fact, India has consistently been featured in the top 12 targeted countries and territories for Advanced Persistent Threats (APTs), based on Kaspersky's research on APTs. It is therefore important for Kaspersky to partner with key stakeholders in India’s cybersecurity landscape to jointly prevent, detect, and deter cyberattacks. These efforts include frequent technical exchanges and capacity-building for India’s National Cyber Security Coordinator (NCSC), and the Indian Computer Emergency Response team (CERT-In), amongst many others.
However, given the number of organizations in India that are increasingly reliant on digital services, it is inevitable that there are vulnerabilities in these organizations’ ICT supply chains that can become targets for attack. In a prominent example, the All India Institute of Medical Sciences (AIIMS) in New Delhi was hit by malware attacks twice in the span of 7 months, in November 2022 and June 2023. While the 2023 attack was successfully neutralized, the 2022 attack had led to the disruption of many services, especially online-based processes. Patients were asked to return home without consulting doctors, and basic daily operations like appointments, admissions and billing systems were affected. The incident served to illustrate just how pervasive the impact of cyberattacks can be.
While the AIIMS incident had taken place in a medical setting, there are applicable lessons for all Indian enterprises and organizations. The ICT supply chain of any industry can well contain disparate elements – such as suppliers, distributors, customers, managed service providers, SaaS, and contractors. If any one of these elements is compromised, a domino effect could easily be triggered, implicating the rest of the ICT supply chain. It means that organizations must look beyond their own systems, to ensure that their partners too have systems that are adequately secure. This poses a strategic dilemma – how do organizations in India move ahead together, and avoid a waiting game where everyone is looking to someone else to make the first move?
At Kaspersky, we propose a roadmap of 4 key, actionable steps to strengthen the cybersecurity ecosystem in India – which require equal effort from the government and the private sector alike. This is based on our experiences working with regulators, as well as our understanding of the needs and concerns of private sector clients, especially those in Critical Information Infrastructure (CII) industries:
Develop core principles, technical standards to ensure a consistent level of cybersecurity across all companies involved
This would be the quickest way to level up entire industries and to address threats that are common to players within them. In India, industry-specific standards have been prescribed by specific regulators, such as the Reserve Bank of India (RBI)’s Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices 2023 for banks; and the Insurance Regulatory and Development Authority of India (IRDAI)’s Information and Cyber Security Guidelines 2023 that are applicable to all insurers, including insurance intermediaries, brokers, corporate agents. As these principles and standards grow in scope and become more technical, it would serve companies well to have cybersecurity policy and compliance teams who can navigate them effectively.
Improve procedures and regulations on ICT supply chain infrastructure
These would be policies that transcend industries, to reduce the chances of nodes in the ICT supply chain from becoming points of vulnerability. In India, these would include the Indian Telecom Security Assurance Requirements (ITSARs), which mandate the use of trusted products in the country's telecom networks to ensure the security and integrity of the supply chain; as well as mandatory certification standards by the Bureau of Indian Standards (BIS) to ensure the quality and reliability of ICT products entering the Indian market. In any country, cybersecurity considerations must be at the forefront of each of these nodes, to ensure that cybercriminals cannot easily identify a weakest link to launch an attack from.
Actionable national cybersecurity strategies
At the national level, cybersecurity strategies must be actionable, to guide organizations on best practices to prevent, detect, and respond to cybersecurity incidents. This has begun in earnest as the Indian government prepares to launch the National Cyber Security Strategy, as was announced in 2023. While it remains to be seen if the industry can translate the guidance from such a strategy into concrete steps, this is a highly-anticipated document that industry players will be keen to analyse when it is eventually launched.
Private and public mutual cooperation and cyber security capacity building
Given the multiplicity and magnitude of threats that organizations face today, no single entity will have all the solutions to tackle them. This makes public-private partnerships (PPPs) all the more important as governmental and industry efforts complement each other to cover as much ground as possible. Kaspersky firmly believes in such collaborations, and our efforts in India have included regular landscape briefings on threats and technical workshops for cybersecurity-related agencies. Selected officials from CERT-In had also participated in Kaspersky’s Cyber Capacity Building Program (CCBP), which had been designed to help governments, the academia, and companies develop mechanisms and skills to assess ICT products that they use. Kaspersky also provides to the public statistics on threats detected on the devices of Kaspersky users – real-time data on India can be found here.
Under the auspices of Kaspersky’s signature Global Transparency Initiative (GTI), we have invited state agencies, regulators, enterprise and partners of Kaspersky from anywhere in the world to visit one of our 11 Transparency Centers worldwide, to conduct a comprehensive examination of Kaspersky’s source code, software updates, and threat detection rules. Significantly, in late-2023, we welcomed the first visitors from an Indian government delegation at our Transparency Center in Zurich, Switzerland. As Kaspersky journeys with Indian enterprises and organizations in strengthening the country’s cybersecurity ecosystem, we look forward to further visits and exchanges with Indian stakeholders, as we jointly create standards and best practices that would thwart the efforts of cybercriminals.