About Cyberstrategy

Author Archive | Cyberstrategy

A breach notification strategy for cyber attacks is needed

By Sandesh Anand

While a strong focus on preventing India’s cyber assets is required, it is a reasonable assumption to make that there will be more cyber attacks in 2017. These attacks will lead to sensitive information leakage, lack of availability of your favorite internet services and other disruptions common during a cyber attack. It is hence important to deliberate on a breach notification policy framework.

Currently, many regulators (such as RBI) and CERT-in lays down many rules to ensure companies report certain kinds of cyber incidents. However, there is no policy which requires entities to report breaches to you and I, the consumers. This means, if (say) a bank get’s hacked and that leads to leakage of consumer’s sensitive information (such as phone number, account balance), the bank is under no obligation to inform the consumers about the extent of the breach and explain what steps are being taken to prevent such incidents in the future. This means, consumers are in the dark about the status of their data and cannot take corrective steps. For instance, if a consumer knows that her credit card number is compromised, she can contact her bank, cancel the card and get a new one issued.

Here are some questions to ponder while we design such a policy:

What type of breaches should be notified?

Agencies like CERT-in require companies to report any “significant” breach, however, attacks which are “significant” may be irrelevant for a consumer. For example, does the consumer really need to be notified if an attack caused internal network outage internal to an organization? How about if only employee details were leaked? On the other hand, attacks which lead to leakage of consumer PII (personal identifiable information) certainly warrants a consumer notification. It is important to make it easy for organizations to distinguish between breaches which need to be notified and otherwise.

Who should be notified?

The policy should address the question of who needs to be notified. Should it be limited to “affected parties” (for example: users whose accounts were compromised) or should the entire public be notified? The answer to this question may differ based on industry, company size, ownership model (i.e. publicly held v/s privately held companies).

Should notifications be enforced? If yes, who should enforce it?

It is important for the policy to define if it merely “recommends” notification or enforces it. If the latter, the policy needs to define who the enforcer should be. Options include central government, state governments (such as in the USA) or industry regulators.

What should be the nature of the notification?

It will be useful to define the nature of the notification as well. While some flexibility can be provided to the breached organization, broad  guidelines should be provided. The absence of such a guideline might lead to a organization notifying a breach through a small column on page 16 of a local daily.

When should the notification take place??

While it makes sense to provide breached organizations with some time to investigate the breach, it is important to have a deadline by which the organization has to notify the consumer. For example, the US state of Florida mandates that such a  breach be notified within 30 days of determination of the breach.

A robust breach notification policy is a requirement as we move rapidly towards a digital economy. While some companies may resist such a policy as it makes things harder for them, it certainly serves the interest of their customers and brings in much needed transparency to the myriad world of cyber attacks.

Sandesh Anand is a GCPP9 alumni and an Information Security professional. He tweets as @JubbaOnJeans


Comments { 0 }

The offense/defense dilemma in Cyber Security strategy

By Sandesh Anand

Cyber offense and Cyber defense have different (often competing) goals. Making the same organization responsible for both leads to a conflict of interest, where at least one of offense or defense may not receive due attention.

Protecting Cyber assets is a daunting task. It involves early detection of vulnerabilities in the system, fixing these vulnerabilities where feasible and building compensating controls otherwise, and responding swiftly to security incidents (or “cyber attacks”). Cyber offense on the other hand, involves finding vulnerabilities in the adversary’s system and exploiting them. A crucial part of Cyber Offense is ensuring (and very often, “hoping”) the vulnerabilities are not remediated so the attack can continue.

Vulnerabilities in commonly used software affects India and her adversaries alike

Vulnerabilities in commonly used software affects India and her adversaries alike

While different countries may have varying systems, the underlying technology used to build these systems (or the technology these systems are built on) are vastly similar. Take the example of operating systems. Most software is built on a handful of operating systems (Microsoft Windows and flavors of UNIX being the most popular ones). When a cyber defense agency discovers a vulnerability in such an operating system, it’s first reaction would be to find a way to protect against the possible impact. As a part of the effort, such an agency would also appraise the vendor responsible for the operating system and push them to fix the vulnerability (and hopefully hold them accountable to it). This will ensure future usage of the operating system is secure. On the other hand, when a cyber offense agency discovers such a vulnerability, it’s first reaction would to come up with ways to exploit the vulnerability in adversary systems. In addition, it would do everything in its capacity to keep the vulnerability a “secret”, so the vulnerability is not fixed.

When a single agency handles offense and defense, it is hard to predict how they will react to discovering a vulnerability in softwares used by organizations within the country and adversaries. This is precisely why separate agencies should handle offense and defense. There is certainly a case for information sharing to occur between such agencies, although given the varying the mechanics of such a relationship would be complicated. In their 2011 paper (Chapter 3), Gary McGraw and Nathaniel Fick explain this dilemma for the American context

“The American government should not allow the National Security Agency (NSA) or another part of the intelligence community to dominate U.S. cyber security policy, for two reasons. The first has to do with separation of duties. Spycraft is facilitated by vulnerabilities in software that can be exploited in order to turn electronic devices into eavesdropping platforms. Consequently, an agency charged with spycraft understandably has mixed incentives to promote better software security.”

In the Indian context, it is unclear which agencies are responsible for Cyber Offense. NCIIPC, which is responsible for protecting India’s critical information infrastructure, comes under NTRO, which has also been given the responsibility to develop cyber offensive capabilities (it is not clear, if NTRO is the only agency which works on this). Separation of duties will go a long way in ensuring our national interests in both Cyber Offense and Cyber Defense are maintained.

Comments { 0 }

Unified strategy on cyber security regulation needed – V


By Sandesh Anand
There is little doubt that securing our cyberspace is important. Over the last few years, the union government has acknowledged the importance and taken many initiatives to improve the security posture of our cyber infrastructure. However, the lack of a coherent message  from the various agencies working on such an initiative, can lead to cyber-security becoming no more than a heavily regulated compliance burden.

Cyber Security is complex, but the regulators need to keep it simple.

The “National Cyber Security Policy” drafted in 2013 is an important document. While not yet implemented in full, various recommendations made in that documented have been implemented. One of the principal “strategies” of this policy is to create a nodal agency to co-ordinate all matters related to cyber security. The CERT-in was created to fulfill this requirement. In addition, Section 70(A) of the IT Act mandates the creation of another “nodal” agency to protect the nation’s Critical Information Infrastructure. The NCIIPC (National Critical Information Infrastructure Protection Center)f was hence created. Finally, regulators of various sectors (banking, Telecom etc.) have understood the importance of cybersecurity and have come up with their own “CyberSecurity guidelines”.


Sense the problem?
Let’s take the example of a bank, which wants to implement a cyber security program. In addition to doing all they can to protect their assets (based on their expertise), they also want to make sure all the regulatory boxes are ticked. Given they come under the definition of “Critical Infrastructure”, they will need to follow the guidelines provided by NCIIPC. In addition, RBI has multiple guidelines on how to implement their Information Security program. CERT-in also provides various guidelines on how to implement specific aspects of the bank’s Information Security program.
The story repeats when a breach occurs. NCIIPC has a 24*7 desk to handle incidents on CII (the bank will need to notify them), at the same time, banks are required to notify RBI and CERT-in when a major breach occurs (defining “major breach” itself can be an interesting exercise. Let’s reserve that for a separate post). So in addition to swiftly dealing with a breach, the bank will have to deal with the red-tape of communicating with three different agencies.
Given the complexity of the subject, it is desirable to have multiple opinions on the best way to implement cyber security. However, it is important for the regulatory framework to speak in one voice. Far too often, security is looked at as a bottleneck or a mere compliance requirement. When this happens, the focus of the industry is less about securing their ecosystem and more about making sure all the boxes are ticked. As we figure our way through the maze of cyber security, it is important for our regulatory system to get its act together. There has been talk about a “National Cyber Security Assurance Framework” being developed. Such a framework should work to unite all the current efforts instead of adding yet another layer of regulation for the industry to follow.


Sandesh Anand is a GCPP9 alumni and an Information Security professional. He tweets as @JubbaOnJeans
Comments { 0 }