| Source Link | |
20 February 2014
Cyber attacks are not a security challenge that can easily be
eliminated. No kind of infrastructure is absolutely impregnable and the
adverse impacts can at best be minimised by emphasising on risk
containments. This was among the key conclusions reached by participants
at the panel discussion on "Benefits and Challenges of National Cyber
Threat Information Sharing" at Observer Research Foundation, Delhi, On February 11.  It
was opined that the structure of networks needs to be refined. In
today’s cyberspace, information spreads almost unhindered through a flat
environment. With a single compromise, malware tends to infiltrate the
entire programme and in effect disrupts the entire network. Security
experts recommend that security risk can be minimised by segmenting
information by building containers inside the network. Indeed, these
issues must be tackled as soon as possible; especially as the
interconnectivity between products is increasing, the stakes are raised
higher, as critical systems such as pace makers, insulin pumps, etc.
will be connected to computers, clouds, etc.  The
panellists applauded the timing of this conference as the PPD 21 from
the US government directive on how to handle critical information
infrastructure has just been published. Other countries have tried to
enforce regulations on the same theme. However, according to the
speakers, the costs of these requirements were not fully understood. As a
result, the programmes were not fully successful. The Obama
Administration has since learnt from these experiences and has
established a private-public partnership, involving intelligence
services, the Homeland Defence Security and the National Institute of
Science and Technology. They have established a framework with the best
practices and incentives to help industries adopt them. In addition,
information on threats, such as fraudulent IP addresses, will be shared
among all the actors.  Major
companies or institutions have enough resources to secure their
networks, according to participants. They can afford, for instance, to
build redundancy into the systems —a process also known as a
cross-domain solution. These solutions, however, have not yet migrated
to mid-level companies like public-private partnership companies, for
example power or water providers. Though these companies are critical
infrastructure, they do not assume the stature similar to National
Security. In addition, with limited resources they cannot afford to
invest a large amount of money in cyber security.  Experts
present argued that, to be more effective, information on cyber threats
should be open source. Companies that have suffered cyber attacks
should share learned information amongst other companies. However, it
was contended that there was a problem in this suggestion. Currently, if
a company discloses information of its history of attacks, the
company’s reputation will decline. If this can change, and proactive
companies that share information could be protected and their
initiatives awarded, cyber security would be much more effective and
sustainable. It was emphasised that public perceptions must learn to
adapt.  According
to some panellists, it should not be forgotten that threats could come
from outside as well as inside systems. Even though inside threats are
less likely, they never-the-less pose the trickiest challenge.
Architecture of inside networks should be revised,as it is no longer
relevant to have a master administrator who has access to all the
information. "Such an operational structure only makes things worse, and
therefore IT services should be given access to only relevant
information to their sector", argued the speakers.  Further
on into the discussion, the importance for companies to implement
threat specific training at the individual level was mentioned. It was
explained that "Risks are inherent and thus comprehension is essential.
Understanding your assets is the key so that vital aspects are
prioritised. Employees must understand the risks that they will be
facing and how to react to each one".  Another
point that was raised by the participants was about how to effectively
respond to the supply chain integrity question. "A company", it was
said, "must be sure that every sector is secure; however, it is
impossible to do this. Even after rigorous process design, nothing can
be guaranteed. It is complex and costly, but also a priority in today’s
environment. It must be assumed then that there are going to be breaches
and contaminations rather than hope they never occur; efforts must be
focused on the resilience of the system."  An
expert present said, "It is important to keep in mind that the effects
of cyber threats go beyond petty thefts. Information stolen is not
limited to an individual’s credit cards or personal information, but can
extend to a great number of other people and their governments. The
information could even be used for infiltration into a nation’s security
infrastructure. For example, information stolen by Chinese cyber
criminals during the Katrina disaster could handicap the USA’s responses
in the future. Essentially, we are in the dark about how far cyber
security threats reach and how much danger they pose to a nation."  In
conclusion, the discussion focused on the parallels between the Indian
cyber market and that of the USA. They are vey similar in nature: a big
market, diversified industries and private companies as opposed to
public issues, as well as the same government interest and obligation to
protect industry and the consumers. As a result, it was argued, it is
vital to have businesses in the cyber security sector that develop
expertise and make profit from assessing and tackling information
threats. This would allow multiple actors to contribute to information
threat sharing and information security. (This report is prepared by Benjamin Bath, Research Intern, Observer Research Foundation, Delhi) http://orfonline.org/cms/sites/orfonline/modules/report/ReportDetail.html?cmaid=63320&mmacmaid=63321 |
No comments:
Post a Comment