Genie Sugene Gan, Head of Public Affairs for Asia Pacific at Kaspersky
As India continues to struggle with the latest wave of covid-19, people in the country have increasingly fallen prey to a series of cybersecurity attacks over the past year, with many hunkering down and working from home. Over the past few months, a broad range of critical sectors – including aviation, manufacturing, pharmaceuticals, and the government – have been affected in one way or another. Addressing India’s cybersecurity challenge will require collaboration among a broad spectrum of actors, and the private sector can play a critical role in this effort.
Cybersecurity is not a new challenge in India, but it has been mounting as a challenge amid broader trends and developments, including the increasing sophistication of cyberattacks and growing digitalization in strategic sectors such as finance. According to data from the Indian Computer Emergency Response Team (CERT-In), nearly 1.2 million cases of cyberattacks were reported in 2020, up nearly three times from 2019.
India already has several cybersecurity measures in place. In addition to CERT-In’s alerts and advisories on cyber threats, the government has issued guidelines for security applications to chief information security officers and mandated regular cybersecurity audits and mock drills. Internationally, India has forged collaboration with a raft of countries, including Japan, Israel, Bahrain and Southeast Asian nations to bolster cybersecurity.
Yet challenges persist and much work still needs to be done. India lacks a cybersecurity master plan and gaps remain to be addressed, including managing privacy concerns and developing a stronger backend cybersecurity infrastructure. Though a national cybersecurity strategy has been in the works since 2019, it is still pending final approval by the cabinet committee on security headed by Prime Minister Narendra Modi.
As India continues to confront cybersecurity challenges, the private sector can play a critical role in this effort. While the government has rolled out measures to incentivize both public-sector and private organizations to improve cybersecurity standards, the private sector should take the initiative to do more during this time while the government is focused on combatting the pandemic. In addition to the government’s ongoing efforts, companies can help the government in several specific areas, including promoting awareness, boosting education, and strengthening capacity-building: this will help ensure that the sector continues to move forward even during this difficult period.
Areas of Collaboration
The first area for collaboration is promoting awareness to foster two-way understanding. As Modi said in his speech on India’s 74th Independence Day in August, cybersecurity efforts need to be collaborative and integrated across actors and realms of the country, as they affect not just India’s security, but also its economy, development and society.
One key effort could be advancing greater transparency, so that the private sector gains a better understanding of what the government needs to shape policy and provide the necessary information about its products and processes. Cybersecurity companies can also play a role to help validate and verify products and operations fostering better understanding of protection technologies, infrastructure and data processing practices. The collaboration could be accomplished through several platforms, including through the dedicated transparency centres that Kaspersky has across the globe, and launching initiatives by companies in Asia and around the world to share data about how they work.
A second area is advancing education. The lack of relevant knowledge is among the key reasons for increased susceptibility to malware and phishing attacks. Additionally, advancing public-private cooperation in this area would boost India’s cybersecurity talent and promote expertise in its educational institutions, some of which are already world-renowned in certain areas.
A report from Michael Page India highlights how the cybersecurity field is experiencing a 43 percent talent shortage, and that India is expected to have over 1.5 million unfulfilled job vacancies in the cybersecurity field by 2025. Clearly education needs to increase so that this gap is narrowed over the next four years. Part of this can build on existing initiatives in place in India, including Project eSaksham, which trains students and educators in cybersecurity with the help of the Education Ministry. The government can also encourage efforts by individual institutions in India’s 29 states to partner with the private sector as they try to convey knowledge and skills to safeguard themselves against the misuse of digital technology.
A third area is capacity-building. This could involve working with individual government agencies that need assistance, or looking to encourage training or certification for professionals or micro-, small and medium-sized (MSME) enterprises in specific areas such as ransomware protection. In 2020, MSMEs accounted for nearly 38 percent of India’s national GDP, while 43 percent of the cyberattacks in India targeted MSMEs and startups. One obvious reason is the lack of resources but also, more often, lack of access to skilled resources. Kaspersky signed a memorandum of understanding with CERT-In in 2020, which focused on capacity building, facilitating cooperation for detecting cyber threats, and devising appropriate security measures. This included training CERT-In’s technical team to better adapt to evolving threat landscapes.
Beyond training, companies could also help amplify other areas of government focus, such as encouraging the development of cybersecurity startups to leverage the creative potential of the world’s largest democracy.
Bringing the Sector Up to Speed
To be sure, this is not to suggest that the private sector can substitute for government engagement in this domain. Indeed, the government has a critical, indispensable role to play in crafting a robust national security strategy, advancing the vision of a Digital India and finding the right balance on questions of privacy and data security.
Yet more synergy with the private sector could help India manage some of its cybersecurity challenges to build on its existing strengths and address any vulnerabilities that remain, especially during the pandemic. In addition, it would also be consistent with Modi’s comprehensive understanding of cybersecurity challenges, and the approach of the whole of society needed to address it. This would at least allow for progress within the sector when the government is ready to look at it again.