As the world grapples with the effects of COVID 19 and puts greater reliance on digital services and platforms, the threat to critical infrastructure has spiralled.
Lt Gen Rajesh Pant:
Lt Gen Rajesh Pant (Retired) is the Chief of Indian National Cyber Coordination Centre (NCCC). An internationally renowned soldier-scholar, General Pant has 42 years of experience in the Indian Army, especially in the field of Electronic Warfare, Geo-intelligence and Cyber Warfare He is a founding member of India's indigenous Electronic Warfare (E.W.) programme and has more than ten years of experience in top-level Defence I.T. and Telecom training. In 2007-2008, he was among the first people to introduce information technology in defence services, and the concept of communication platforms on information warfare in India. He has been an International consultant in C5ISR systems and Information Security.
Synergia Foundation, which has always been at the forefront of security dimensions in the cyber world, hosted its 8th Webinar (Synergia Forum 71) on ' Threats to critical infrastructure in a post - COVID World'. Lt Gen Rajesh Pant was one of the keynote speakers.
Understanding Critical Infrastructures
“Can you clearly distinguish between critical and non-critical infrastructures in the modern world when everything is interconnected?” posed General Pant while defining “critical infrastructures.” With technology changing so rapidly, its intervention in almost every aspect is making it difficult to allot priorities.
Critical infrastructure describes assets that are essential for the functioning of a society and economy. The U.S. has 14 sectors that fall under this. The U.S. Homeland Security guide on critical infrastructure states that natural and man-made incidents have the potential to incapacitate critical infrastructure. In the Netherlands, along with a few others, it considers “Heineken” to also be a part of its critical infrastructure!
In India, under the National Critical Information Infrastructure Protection Centre (NCIIPC) created under Sec 70A of the Information Technology Act, 2000, there are six critical sectors; transport, oil & natural gas, power, telecommunications, government and strategic (related to critical defence sector). Health sector never merited this attention but today can we ignore the health sector, especially critical labs involved in vaccine research
It is best to focus on all threats, including environmental and biological, which would allow for better planning and utilisation of resources. There is also the question of interdependence between sectors. Tomorrow it could be a sector as mundane as water supply and purification which has undergone immense digitisation, thus rendering it highly vulnerable to cyber threats. In the case of a natural disaster, with the lack of electricity, water would not be able to be filtered or reach miles away. This instance highlights how the interdependencies should also be taken into account when planning for threats to infrastructures.
Threats during COVID 19
India’s internet consumption rose by 13% since the nationwide lockdown was put in place to check the spread of Covid-19, according to telecom ministry data. "Cyber criminals are exploiting the COVID-19 outbreak as an opportunity to send phishing emails claiming to have important updates or encouraging donations, impersonating trustworthy organisations," as per the advisory put out by Computer Emergency Response Team of India (CERT-In).
“There are a lot of IoT devices that are being used, there’s Alexa, there’s your camera. All these are now coming as a part of your home environment, now that’s a cause of concern as these can become entry points when you are working from home. Then if you are using a VPN, then there’s something else, there’s a VPN aggregator with the optical switch operator. So, the whole security architecture has changed,” says Lt. Gen. Pant. "From there we come to cybercrime. Globally it has shot up by 500%. That is the change in data that is now being accessed.” With the pandemic, more people are working from home, and accessing confidential company data from their home computers, rendering themselves vulnerable to cyber intrusions. Cybercrimes have gone up over 500%. This was bound to happen when more and more novices are entering into the cyber world; email traffic itself has risen from 20 million per day to over 70 million per day in India itself.
A large number of apps are being used in millions of smartphones, with users having little idea about their security. To complicate further, almost every piece of electronic equipment is today linked, be it medical devices being used by the health care sector or systems managing critical supply chains, with few having been protected against cyber threats like ransomware. Labs looking for a vaccine for COVID 19 are especially vulnerable and need robust protection. Financial online transactions have ballooned with over 50 lakh new UPI handles being opened—laggards who are now venturing into the cyber world like so many sheep to the slaughter! To add to the confusion, fake news on social media is rife, compounding the confusion and panic.
Managing Security of Critical Infrastructure
Listing the most critical challenges, General Pant emphasised on the End Point Security which is not the laptop on which an individual is working but his mind. Every individual need to develop an inherent sense of cyber hygiene and security. “The concepts of security remain the same, whether physical or cyber, you cannot address everything with the same level of security. So, the concept is to protect the core areas with whatever that you have. In the COVID era, our strategists are saying that we are entering an era of e-globalisation. Threat intelligence sharing is very good,” he stated.
There is also a need to look into security threats at different levels of engagement, such as the individual level, enterprise, sectoral, national, and international levels.
Public-private partnership in infrastructure security
In the U.S., most of the critical infrastructure is owned by the private sector (about 85 percent, according to the Department of Homeland Security) and is regulated by the public sector. Therefore, it is understandable that the public and private relationship in using and protecting critical infrastructure requires a strong partnership. Preparations from both the government and industry are critical. An OECD study of the Public-Private Partnerships in Finland learnt that only public bodies within countries should not take full responsibility to maintain the sectors, but the private sector should also invest in this preparedness to achieve a whole-of-society approach to risk and attack prevention.
Lt. Gen. Rajesh Pant emphasised upon Public-Private Partnership for coming up with cyber security solutions in the future keeping in mind the invaluable cost of data which is critical for both public and private sectors. “I don’t think that there is any doubt that without Public-Private Partnership there isn’t the ability to find cybersecurity solutions but let me tell you today even in the public sector, in the six sectors; let’s say telecom sector, mostly it’s private. Except for BSNL the other players are private. The power sector also has private partners. Solutions are also provided by private parties. With the start-up culture that’s coming up and the incubators which are being provided in educational institutions, there is no doubt that the private sector is playing an increasing role in cybersecurity. As long as the solutions are indigenous, servers are within the country, at least in the critical sector we would be very comfortable.”
Changing face of security
With new sectors becoming more and more important, such as those created by working from home like tele-forensics, tele-audit, etc., Lt. Gen. Pant. predicts that these sectors are where new solutions of cybersecurity will come out from. "There are a lot of savings involved in [working from home] like transport, office space etc. So, in that environment, how are we going to implement cybersecurity solutions? People are already working on it. You surf the net, and you will find so many solutions for remote security. This is an ever-changing field," he says.
This is already evolving on a rapid basis. The E.U. Agency for Cybersecurity published its tips for teleworking during the pandemic that was focused on security and protection for individuals and enterprises as well. There is also the need to understand how this can be applied to public sectors as well, with the central government mandated work-from-home orders for its staff.
This practice does not have to be limited to cases of a pandemic. An analysis conducted by FlexJobs and Global Workplace Analytics on the U.S. workplace found that there was, in the span of one year, remote work grew 7.9% (2016-2017). Between 2005 to 2017, there was a 159% increase in remote work. In such a case, with growing trends of remote and flexible working, there is a need to change the way we think about security as a whole.
The price of data
The Department of Homeland Security defines a data breach as "the unauthorised movement or disclosure of sensitive information to a party, usually outside the organisation, that is not authorised to have or see the information." Lt. Gen. Pant states that people in India don't understand the value of data. “Facebook paid the Federal Trade Commission of U.S. 5 billion dollars for the data that had gone to Cambridge Analytica. So, I don’t know in what way it will take for us to realise the value of data,” he muses.
The annual cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, analysed the cost of data breaches as per 507 organisations across 16 geographies and 17 industries. The results showed that the average total cost of a data breach was USD 3.92 million, with Healthcare being the most expensive industry at USD 6.45 million.
The study also looked at the longtime repercussions of data breaches and found that organisations pay the price of a breach into the next 12 to 24 months as well, with the costs carrying over by around 22%. For India, the average cost of a data breach grew 7.29 percent to reach Rs 12.8 crore (128 million) from Rs 11.9 crore (119 million) in 2018.
The question is also of other security, like security cameras on streets and roads. “This is the debate, right? For your security we are putting something then you think your privacy is being threatened. It’s a discussion in itself but, from my point of view, it’s the security,” he says.