The document discusses cyber security cooperation between India and the United States. It outlines how the two countries signed an MOU to promote closer cooperation on cyber security issues and the timely exchange of cyber threat information. This agreement establishes best practices for cooperation between the two governments on technical and operational cyber security issues. The document also examines some of the challenges to achieving global cooperation on cyber security, such as the lack of common terminology, legal frameworks, and dismantling the perception of cyber security as a domestic issue only.
The importance of understanding the global cybersecurity index
Global Partnership Key to Cyber Security
1. Cover Story: InfoSecurity August 2011
Global Partnership Key to Cyber Security
With increasing incidents of Web defacements and cyber assaults no nation or enterprise can
choose to ignore cyber security. The only way out is to be highly prepared and take conclusive
proactive steps for any eventuality.
The United States and India signed a Memorandum of Understanding (MOU) on 19th July 2011
in New Delhi to promote closer cooperation and the timely exchange of information between the
organizations of their respective governments responsible for cyber security. This kick starts a
new beginning for India and United States and for the mutual co-operation for matters related to
cyber security.
A New Beginning
This brings to us a significantly major partnership with the United State in the fight against
cybercrime and all round concerns governing cyber security. The signed MoU according to press
release establishes best practices for the exchange of critical cyber security information and
expertise between the two governments through the Indian Computer Emergency Response
Team (CERT-In), Department of Information Technology, Ministry of Communications and
Information Technology, and DHS United States Computer Emergency Readiness Team (US-CERT).
Through this arrangement, the respective governments and broader cyber security
communities in both the United States and India will have the ability to co-ordinate with their
counterparts on a broad range of technical and operational cyber issues.
As declared recently by William Lynn, Deputy Defense Secretary, the United States already hold
international partnerships, including those with Australia, Canada, the United Kingdom and
NATO. The overarching US Department of Defence (DOD) strategy hinges on five strategic
pillars, including:
• The establishment of cyberspace as an operational domain like air, sea, land or space, and
organize, train and equip forces accordingly to perform cyber missions.
• The introduction and employment of new operating concepts on networks, including
active defenses using sensors, software and signatures.
• Partnership with the private sector and other government agencies, particularly the
Homeland Security Department, which is responsible for civilian network protection, to
protect critical infrastructure.
• The build-up of collective cyber defenses in coordination with U.S. allies and
international partners.
• Capitalisation of U.S. technological and human resources, including an exceptional cyber
workforce and rapid technological innovation.
Challenges to Global Co-operation
The MoU comes at a time when the Web is buzzing with multiple fringe hacktivists spread
across the globe. These include the well-known and most publicised groups such as Anonymous
2. and the self-disbanded group LulSec, who apparently has now joined the Anonymous team.
According to a report published by the East West Institute on International Pathways to Cyber
security are nine areas that need to be addressed by the international private and public sectors in
order to achieve international cooperation. The report states the following points worth
considering by CISOs of all the enterprises and the government officials.
• Education and Awareness: Awareness needs to reach “critical mass” in public perception
in order for it to become a pragmatic item of private and public sector agendas.
• Terminology: Defining and understanding various descriptions of the issues at hand,
whether seen as Cyber security (U.S.), Information Security (Russia), or Internet Security
(China).
• Creation of a sense and system of responsibility: Responsibility needs to be imbedded at
three levels (a) individual and corporate end users; (b) creators of technology and media;
(c) government.
• Understanding the end user as well as growth of new media and technology.
• Constant battle between security, privacy and freedom: Such matters will not have a one-off
solution. Decision makers will need to understand that in order to reach solutions
some compromises need to be made and balances struck among these three important
factors.
• Lack of legal framework: Lack of domestic legal frameworks will impede international
legal cooperation.
• Challenging human nature: By nature we have consistently reacted to threats once they
triggered specific actions. The decision-making and reaction mentality needs to keep
changing where we pro-actively address vulnerabilities before they are exercised by
threats.
• Dismantle the perception of domestic boundaries: Many treat cyber security as a
domestic issue, failing to understand that cyber security is a challenge that transcends all
borders and requires strong international dialogue, trust and cooperation.
• Economics: While the above aspects are considered, it is important to take into account
the economics behind achieving cyber security co-operation. Who will pay for security?
Can incentives be created for corporations and individuals?
State Sponsored Cyber Assault
The Pentagon recently disclosed of facing one of its largest losses ever of sensitive data in a
cyber-attack by a foreign government. This adds to the reason and need for a dedicated cyber
command unit. Just as India, the United States too has been assaulted and hacked multiple times
by various state-sponsored agents for as long as there have been avenues to do so - the
significance of this incident is the public acknowledgement of a state-player. It goes along with a
general escalation in cyber war rhetoric that began in earnest this spring, and seems to be part of
a strategy to dissuade such actions by tying cyber intrusions directly to kinetic military
responses. In India we are yet to have dedicated Cyber command though there are multiple
agencies and teams on passive and active monitoring. Telecom, BFSI, Power utility and other
major engineering networks should achieve more active sensing and response is also a
requirement. Where known threats are detected, it would be useful and strongly advisable to
deploy responses in near real time to protect mission essential services.
3. We need to ensure mission essential networks and network delivered services are assured. Post
hoc forensics, while important, cannot achieve that objective. Commercial IDS and IPS --
alongside detectors at network gateways and on other network attached devices must be
integrated into perimeter and defense in depth solutions.
Multiple Indian Government and private enterprise portals are defaced every month. It is yet to
be known and assessed on how many of those machines are injected with malwares. Cyber
awareness, situational awareness or any other way you put it, still boils down to creating new
terms that do nothing to protect anything that they are meant to do. What we need is leadership
instead of rhetoric. We need to raise the bar for educational institutes to begin pumping out the
right knowledge people, instead of those officials that sit there and go “yeah, we know how to do
it" and then continue to complicate things up.
Attention must be paid to the resiliency of systems at both critical infrastructure and defense
systems. First we need to agree on a definition of resiliency and then apply the management,
engineering and process practices needed to achieve it with a national objective and yet with
International partners.
National Cyber Security Management
There are some great lessons to be learned from some of the more tightly integrated system at
Ministry of Defence. Engines being the same old Ps- People and Process to manage technology.
Then in effect we may begin to synchronise our efforts across cyber intelligence and beyond.
This type of mechanism can cater for new data attributes to be collected and only the collection
hubs need modification. Also a vision is to have clustering hubs that collect all the data from the
collection hubs for wide angle analysis covering many spectrums for specific need and objective.
There are multiple ways of executing this but what is really needed is putting the right people
together in the right place with the right ideas and for it to be objective.
One of the things worth observing is whatever passive sensory equipment is deployed for
monitoring security related, information needs to be 100 percent passive and invasive, that which
cannot interfere with the equipment and or the machine being monitored. And high on the flag
list is if there is any shift in the data patterns should be considered an alert condition to health
check. Going into the technical details, it is also suggested to think of sensors on critical
infrastructure should be one way only, absolutely no inbound polling for data.
It is high time that the Government take proactive steps on various dimensions related to cyber
security. With a booming economy, destabilising the economy has a much greater impact than
someone trying to discern and decipher what the JSAP process is!
—By: Dominic K, Deputy Editor 'InfoSecurity' Bureau.