NCIIPC Foundation Day 2017 – (Part 3) Taking stock and looking ahead

This is Part 3 of the coverage of the proceedings at the NCIIPC Foundation Day Conference held on 16^th January 2017. You can access Part 1 and Part 2 here – these cover the keynote addresses by the Dy NSA, Chairman-NTRO, NCSC, and DG-CERT.

The first panel discussion I attended brought about some pretty radical views about supporting government. If this is how they offer support to government, we should not be surprised where we are today!

Mr Chandrasekhar from Microsoft says that they have a “Government Security Framework” and that they are willing to share malware and signatures from their eeeeexxxxxxtensive library with the Govt of India PROVIDED they get an assurance this will not be misused. LMFAO. Mr C should see this Cyber Security Center setup and let us know how much this is true or share information about any “assurance” they got (or gave) the Govt and / or the Chinese Govt or the NSA.

IW Comment: This statement startled me and now I am curious to know what is the quid pro quo that Microsoft has got from the Government for the “state-of-the-art” Cyber Security Lab that has been set up and publicized as a unit that is working closely with government.

Check this article and try to understand what is happening: According to Madhu Khatri, Associate General Counsel, Microsoft India, “We want to collaborate with our customers, our partners and with the Government to combat cyber threat in India.

IW View: The problem is that all the big folks come, speak, and go away and there is hardly any time to ask a question and engage in hard-talk. And once off the dais these folks will either run away to some “important” meeting or be perpetually engaged with someone. No room to ask Mr C why I got a dagger in my heart.

Surprisingly, Mr Katkar from Quickheal spoke in a similar vein which is unexpected saying that there is no legal framework for sharing data but that they will be happy to share automation tools for skill development.

IW View: Every company is created to make profits and to expect non-profit actions from a commercial entity is incorrect. However, when the country is facing a challenge and is moving into a crisis situation it is the bounden duty to lend a helping hand. We can all reach out to someone or the other in government and help. I don’t think that the tools offered would really address the cybersecurity needs of Critical Infra Protection in any manner. However we will be very happy to be corrected.

The other unknown which came out of the discussion was that only 2 organizations are presently notified as CII entities – Ministry of Shipping and LRITC. As such it is not sufficient just to be associated with NCIIPC. The organizations have to work with the MEITY and NCIIPC to be declared as CII which is done through a Gazette notification. Once this is done, the CII gets an additional layer of protection and the applicable law is more stringent.

IW View: Don’t ask me what or how, this is what the panel said. I am as shell shocked as anyone else!

It seems that the role of NCIIPC becomes more active if the entity is declared as CII.

In any case, as per law NCIIPC has to come up with policies and procedures and is working on the same. This should become public shortly. Another important point made was that organizations are liable to report security incidents.

IW View: While NCIIPC will have to dive in-depth with notified entities, it is good there are only 2 organizations at present. Dr Gulshan Rai had said earlier in the day that there are 250 organizations registered with NCIIPC. Now if all of them become notified entities it is going to be a big problem to manage them.

In another panel discussion, there was another shock awaiting the audience – the ADG (IS) for UIDAI strongly expressed his dislike for the RTI applications which are received. He went on to talk about his other challenges which were pretty mundane and was essentially the lack of skilled resources.

IW Comment: A member of the audience did ask him about RTI and how come he had a dim view of this function as it was the only legal recourse available to the citizens to know about functions in government establishments. He said something about many RTIs asking inane stuff .. dear Captain inane or whatever, hope the responses are not canned or inane.

IW View: I am also curious about the continuous refrain of every department about the lack of skilled resources. On the other hand, there are professionals actively looking for jobs. Most government departments do not want to hire, do not want to pay a good salary, will not create a happy / innovative work space but will seek the best and then they say there is a shortage! Besides, another question which begs an answer is – why has the government (or academic institutions) not been able to fill the gap for so many years!

Other challenges that were highlighted are about the dependence on vendors for manpower and the buyer does not have any other source to advise on the suitability of the product being purchased. Then there is the problem of legacy code which has the same issue – lack of people and funds to patch; besides being dependent on US sources to tall us whether the vulnerability is high / medium / low risk.

However, Indian Railways seems to be happy with such a situation as it seems to be secure by default – he said that there are not too many people who have skills for the code of the (legacy) systems so they are secure. And since the old systems are doing well there is no reason to change and bring in new systems which will be vulnerable!

One very interesting point of view was put forward by Mr Pillai from ISGF that there should be a change in how we consider L-1 when purchasing. At present the government buyer has to go for an L-1 vendor whether buying heavy equipment, a transformer or consulting services which is incorrect as tangible and intangible have to have a different yardstick for selection. The ISGF has created a framework for assessment of electric grids and top 10 findings were shared with the Power Ministry.

There was consensus that the Government of India must employ experts who should be on different rates / payscales.

Conclusion – this was a pretty extended day of learning about the working in the government as well as knowing the mindset of some organizations (positive and negative). It will be good for NCIIPC and other organizations to have public meetings in a similar manner where they can invite cyber security professionals. If not a physical meet then these organizations can have virtual meetings in any format (twitter, reddit, facebook etc). While this three part series is based on some notes made during the conference, we will try to have a more detailed and ‘journalist’ type reporting the next time.