Why cyber security is crucial for government

In 2007, the UK government admitted that its revenue and customs department lost the details of 25 million individuals (nearly 40% of the population). The incident caused a public outrage and the British prime minister was forced to apologise to the nation.

Cut to 2010?India is not only a booming economy, but the government agencies are a repository of information that many would like to get their hands on! Whether it is land records, tax records or health records, information housed within government institutions is growing manifold. On the other hand, initiatives like filing tax returns online show that information is getting increasingly digitised, leading to the government increasing its spend on IT infrastructure. For instance, the government plans to spend a whopping Rs 10,000 crore, or 3% of its annual plan budget, on egovernance projects in 2010-11.

Last week, the government rolled out its most ambitious egovernance programme Aadhaar, and the Unique Identification Authority of India (UIDAI) has set a target of issuing around 100 million 12-digit unique numbers by the end of this fiscal and 600 million by 2014. UIDAI representatives will collect demographic and biometric information to establish uniqueness of individuals?the information collected and stored in a centralised database will be mammoth and most precious.

No wonder, most government enterprises have started functioning like some of the largest businesses in terms of their IT. Hence the threats they face are increasingly similar and as targeted and sophisticated. Most people would agree today, the best way to compromise a nation?s defences is by accessing their most valued asset: information. Evidently, new age cyber criminals are targeting key areas of weakness that are putting large IT environments at risk. For instance, Chinese and Pakistani online espionage agents continue their attempts to hack into Indian computer systems; hostile intelligence agencies are also trying to steal defence secrets through the use of computer storage media (CSM) devices like pen drives, removable hard disks and CDs.

Pavan Duggal, advocate, Supreme Court of India, says that governmental systems and websites are far more vulnerable to cyberwar attacks than general private enterprise sites. ?From the hacker?s perspective, attacking the governmental websites tends to give more of a symbolic victory as it helps to spread the message that the government itself is not capable of protecting its own websites and hence cast doubts on the inherent capacity of the government to protect the IT infrastructure of the country. Hackers are also keen to hit the private sector websites, especially those which are doing the maximum ecommerce or egovernance related activities so as to inherently put a spoke in the wheel for the promotion of ecommerce or egovernance related activities,? he says.

According to a DSCI-KPMG survey on the state of data security and privacy in India , 63% of IT/ITeS companies, 57% of financial services companies and 46% of PSUs indicated that information security is top priority. Also, according to the recently conducted Symantec study on the State of Enterprise Security 2010, cyber attacks were still a larger concern for Indians enterprises in 2009 than terrorism. In fact, 42% of the enterprises surveyed rank cyber risk as their top concern, more than natural disasters, terrorism and traditional crime combined.

Shantanu Ghosh, vice-president, India product operations, Symantec India, reveals that the most recent attacks on government enterprises were the phishing attacks on the income tax department and six PSUs, including the Reserve Bank of India that was first reported by Symantec earlier this year. Also, at the beginning of this year, the National Security Adviser had revealed that his office and other government departments were targeted late last year. In that case, an email PDF attachment with an embedded Trojan was used to allow hackers to access and tamper data.

Globally speaking, an Irish newspaper reported in 2008 that the government had lost the personal data of social welfare recipients. The incident left the department of social and family affairs contacting the 3,80,000 recipients after it emerged their personal details were stored on a laptop computer which was stolen. About 1,00,000 of the records contained bank account details.

More recently, it was reported that the United Kingdom ?s ministry of defence had lost more than 340 laptops worth more than 600,000 pounds in the last two years. Even USBs, hard drives and mobile phones were lost from the department. What was appalling in this case was that only one in five of these devices were encrypted. The report also indicated how it was not just the ministry of defence but also other departments like tourism and department for works and pensions that suffered similar losses.

Whether the motive behind these losses were intentional or not, the fact remains that unlike other enterprises, the breach of data in government organisations can have direct repercussions on the lives of citizens as opposed to affecting bottom lines alone. This drives home the point that cyber security needs to be heightened in government enterprises.

So what is the need of the hour? Ghosh says that cyber attacks can be divided into two broad categories. These categories are attacks against infrastructure and attacks against information. Often these attacks will happen in a combined fashion. It is highly probable that even when the infrastructure is the final target of the attacker there will be a degree of information compromise as part of launching the attack.

The need for today?s government enterprise is to prevent valuable digital information from leaving their organisation.

Confidential government information needs to be supported from both internal and external threats. Today, attackers are targeting four key areas of weakness that are putting tech-enabled government environments at risk: poorly enforced IT policies, poorly protected information and infrastructure, along with illmanaged systems.

As the pace of information growth accelerates, the digital infrastructure expands and new computing platforms are adopted, these organisations are realising that they have more to manage than ever before. They now require a focus on security continuity that allows them to continuously respond to internal and external changes.

Some recommendations: First and foremost, they need to understand that cyber security questions are no longer an exotic topic focusing primarily on spam messages and frozen personal computers, but can have a more serious impact and hence needs to be taken extremely seriously.

Second, security is no longer antivirus and firewalls.

Security needs to be mobile, adjustable and dynamic. Most importantly however security needs to be in depth. Multiple layers of protection are necessary in order to detect, stop and prevent attacks.

In short, the need of the hour is a well structured IT security strategy that enables government enterprises protect their information assets. These enterprises now require a security strategy that keeps up with the fast moving pace of operations and is not just limited to stopping the latest malware attacks.