CERT leaders in the U.S. and India convened in New Delhi last week to express solidarity in fighting growing cybercrime and establishing a secure cyber ecosystem. They signed a memorandum of understanding to work closely in strengthening cybersecurity and promoting threat information sharing.
But security practitioners ask: When will this result in significant action? And will India benefit from it? For far too long, discussions have been going on and agreements signed with no tangible results.
"It's good to see that the U.S. and India are working in tandem to improve cybersecurity. But a practical and systematic action plan is missing because India seems to have unique challenges"
A similar pact reportedly was signed in 2011 to promote closer cooperation and timely exchange of information between the organizations of their respective governments responsible for cybersecurity. And after almost six years, not much has changed.
In 2015, the U.S.-India Business Council's senior leaders reviewed many issues, including cyber threats, information sharing and incident management. The Indian team was led by National Cybersecurity Coordinator Dr. Gulshan Rai.
The most recent meeting of the council was in October 2016 to discuss the information exchange program and application of international law to state behavior in cyberspace, affirm norms of responsible state behavior and develop practical confidence-building measures.
The recent CERT meeting was about the same subject. The only difference was the change in the participants.
I don't see a new agenda or perspectives coming through. The current memorandum of understanding intends to promote closer cooperation and exchange of information pertaining to cybersecurity in accordance with the relevant laws, rules and regulations on the basis of equality, reciprocity and mutual benefit.
At the October 2016 council meeting , the agreement listed similar issues: exchanging information on cyber threats; promoting bilateral cooperation on law enforcement and cybercrime issues; creating a mechanism for cooperation, including setting up appropriate subgroups; coordinating cyber capacity-building efforts, including testing and standards; and confirming support for preservation of openness and interoperability, enhanced by the multi-stakeholder system of internet governance.
Sources who attended the discussion in October declined to comment on the next course of action.
Action Plan: What's the Challenge?
It's good to see that the U.S. and India are working in tandem to improve cybersecurity. But a practical and systematic action plan is missing because India seems to have unique challenges.
CERT-In's team seems to be preoccupied with collecting numbers on the type and quantity of attacks in India. These are primarily for sharing with the minister of IT for discussion in parliament to prove how active the ministry's been in tackling cybersecurity issues.
I understand there's pressure on CERT-In and the IT secretary from the top to push "Make in India" products, with security given the least importance.
A top cybersecurity source in government tells me that India's key challenge is that organizations have communication gaps between each department and function.
"We need to compile information about the current cybersecurity portfolio of each department or functions across various verticals and critical infrastructure companies, but they don't know what to share and what's critical," he says.
The fundamental problem is each department's lack of understanding of criticality of cybersecurity and what kind of solutions must be deployed.
In one sign of hope, Aruna Sundarajan, IT secretary, ministry of communications and IT, recently told the media that the government may come out with technical standards on how to deal with the challenges of a cashless economy, spelling out responsibilities as well as liabilities for various financial intermediaries. It would also give details on how to address consumer grievances while also mandating customer awareness measures.
"This is on the highest priority and on fast-track. We are also taking the help of legal, cybersecurity as well as industry experts," she said.
What Needs to Change?
That India and the U.S. have a strong commitment maintaining individuals' privacy and aspire to strengthen cybersecurity is beyond doubt.
It's important for the CERTs of both nations to discuss issues around technology transfer. A common refrain that I hear is that India is almost 15 years behind the U.S. in cybersecurity initiatives.
Why not bridge that gap? It is critical for CERT-In to focus on helping educate organizations on deploying the right technologies and tools to thwart cyberattacks.
More than building capacity, the existing resources must be effectively utilized. A strong information sharing framework within each department and between private, public and academia is what's required.
India's regulators also need to collaborate on cybersecurity and work toward the passing of a threat information sharing law, following the U.S. model.
A uniform cyber code of conduct is also necessary to help the public and private sectors function under strict security controls. And creating international consensus on cybercrime prevention is critical to developing cybersecurity standards.