Whither cyber strategy?

Indian government’s vague resolutions to build capacity for cyber security with little to no specifics are unlikely to meet the requirement.

The increasing role of networked computers in running infrastructure (such as cell phone networks and critical business processes) in recent decades has seen a rise in crimes related to compromising the integrity of these networks. An event such as Chinese hackers taking down a large part of the Indian telephone networks, that are mostly based on Chinese Telephony Hardware, is not unlikely. A report prepared by Pentagon for the US Congress identifies targeted cyber attacks by the Chinese military on US government and private networks. Such plans have been announced by other governments targeting competitor nations with targeted cyber attacks to steal intellectual property or to cripple critical infrastructure in case of hostilities. Such concerns have prompted the Indian government to study the scope and nature of threats arising from such cyber attacks.

Cyber Security at the Ministry of Defence

The recommendations of various Joint Working Groups (JWG) last year were consolidated and released in a report by the National Security Council Secretariat titled Recommendations of JWG On Engagement with Private Sector on Cyber Security, towards charting a plan for securing networks and computers of public and private sectors by creating a permanent mechanism for a Public-Private Partnership in cyber-security. The document recognises the importance of creating trained professionals required for securing the goals mentioned in the document. Newspapers had reported plans to create 500,000 cyber security professionals by 2015, which amounts to graduating roughly 250,000 security professionals annually until 2015. These numbers appear to be arbitrary given the lack of facilities to teach that many individuals in such a short time span. This news has already attracted operators of unknown antecedents offering cyber security training for a hefty fee, and doing little more than providing documents towards the preparation for cyber security certifications like CISSP. The set of recommendations in the JWG report for training the required personnel, amount to innovative recruitment and placement procedures, specialised training in PPP mode, joint work by the Ministry of Communications and Information Technology and Ministry of Human Resource Development with the private sector to establish a cyber security capacity building framework, running awareness campaigns for general public, and similar vague resolutions to build capacity with little to no specifics. These organisation are to be coordinated under the leadership of the Deputy NSA. The implementations of all these recommendations have been left to a permanent JWG at some unspecified point in the future. It is not clear how the Deputy NSA plans to coordinate with MHRD and MCIT in their plans for training people, should the requirements change down the line.

The US government has similarly recognised the need for large numbers of trained security professionals in the government, based on a set of 11 recommendations by the DHS Advisory Council in Cyber skills Task Force Report. This report recognises the vulnerability of government networks and SCADA systems used to control industrial machinery such as power generators. Secretary of the DHS, Ms Janet Napolitano identified the development of a workforce capable of meeting cyber security challenges in June 2012, before the JWG submitted its report to the NCSC in August 2012. Specifically, Secretary Napolitano recognised the need to improve its capability to recruit large numbers of sophisticated cyber security professionals.

The DHS report is specific on how it plans to achieve its goals by recognising that different mission-critical tasks may require different skill sets, and recommends maintaining an authoritative list of all mission critical cyber-security tasks, and then developing specialised training for each of these tasks. The DHS is directly responsible for the development of cyber security workforce. Towards this end, the DHS recently announced that it was working with community colleges, high schools and universities across the nation, along with cyber security competitions and challenges to tap talent for a more skilled and challenging mission critical tasks.This is the first step towards selecting capable people into the system after which they are expected to work on different tasks, such as customs and border enforcement, managing SCADA systems or one of the other mission critical tasks and to make them capable of serving either in the government or in private corporations. The important part is that the DHS has sole responsibility in determining the kind of training that is required by cyber security professionals now and in the future to meet the challenges it has determined.

According to the DHS website, this program will begin at Immigration and Customs Enforcement computer forensic labs in 36 cities nationwide, where students will be trained and gain hands-on experience within the department’s cyber security community. The unpaid volunteer program is only available to community college students and (military) veterans pursuing a degree in the cyber security field.

A government program that spreads the responsibility across the MHRD and MCIT without a common vision for the requirements of the future is unlikely to meet those requirements, either for the government or for the private sector. The setup being planned would prove to be a catastrophe in the long run. India needs to assess the stakes at play here and pragmatically improve its strategy in this field.

Photo: Defence Images