Cyber security needs holistic action.
It is welcome that the government is waking up to the requirement of cyber security, the proposal to levy a fine on any telecom operator that installs any piece of equipment containing any malicious capability, the amount of the fine being equal to the value of the contract through which the equipment was procured.
It is expected that the telecom operator would incorporate clauses in their contract with the equipment vendor to pass on the cost of the fine to the supplier. This is welcome as a minimum deterrent.
But much more needs to be done to safeguard our data networks that today embrace all kinds of vital infrastructure in energy, commerce, transport, governance, education, healthcare and finance, making them more efficient at lower cost, but also exposing them to data theft, manipulation and potential takeover of control by hostile actors.
These hostile actors could be states, states within states, or non-state actors who are lent technological capability by state actors. We need a comprehensive strategy, laws, budgets, professional cadres and dispersed awareness to secure the safety of our communication networks. But while these are being put in place, we cannot hold up expansion of the telecom network.
Hence, the current proposal to levy fines for breach of ethical standards and to mandate submission of source codes and design of equipment installed in the network are welcome. Now, physical equipment by itself cannot create a network.
Several overlays of software reside over the physical network to enable communication. The feasibility of mandating that the hardware and the software overlay be unbundled and sourced from separate, unconnected companies from different countries needs to be examined, even if it raises network costs a bit.
The internet was not designed for safety, the designers aspiring for a global commons where malice had no role. Software is not written with security in mind.
Engineering courses do not train students to integrate cyber security into the basic design and coding of software. All this must change. That calls for coordinated action on multiple fronts, including legislation, setting up new institutions for coordination, public-private partnership and, why not, creating markets for systemic cyber security.
Posted by Mani Shankar Prasad,Head India Operations at NeoAccel Inc|02 Aug, 2010