“Ransomware criminals are not only encrypting files now, they are also threatening to exfiltrate data, and expose them to the rest of the world. So ransomware as a mechanism for disruption has expanded tremendously,” Narendra Nath Gangavarapu, joint secretary in the government’s National Security Council Secretariat, said at our webinar last week.
Vishak Raman, VP of sales for India & Southeast Asia at cybersecurity firm Fortinet, said ransomware demands have gone upto 8-9% of sales revenue. “Adversaries are collaborating (to attack),” he said.
A multi-dimensional defence is today being orchestrated to deal with this challenge. Innovations in technology is one part of it, covering every element of the broad attack surface. Kishore Reddy, SVP of engineering, and MD at Fortinet India, noted that the massive attack on SolarWinds, the network and systems management software company, which occurred in 2020, was the result of a backdoor entry in its code that it wasn’t aware of. “When there are state-sponsored attacks, we have to start from the basics, from the code part. We have to start securing the devops (integrating security into the whole software development process),” he said.
Reddy said significant advances are also happening, including through work the company does in its Bengaluru and Pune centres, in the areas of securing applications, cloud, the network elements such as wi-fi and switching.
Governments are also establishing testing and verification agencies to certify that products, especially those used in critical infrastructure, meet certain standards. Rajesh Pillai, scientist at DRDO (Defence Research & Development Organisation), said they have developed a framework for defence infrastructure, and are now looking at industry in India to use this to certify products.
Gangavarapu said the Indian government is developing sectorwise reference architectures so that organisations are aware of what kind of products should be put in their networks. He noted that the government in 2020 also came up with a directive for the telecom sector that only trusted products from trusted sources (companies/countries) can be put into the networks. “The power sector is now working on a similar scheme,” he said.
Intelligence gathering has also become an essential element of defence. Reddy said they do a lot of AI and threat intelligence related work to learn from the patterns of data and predict what’s coming. Raman said the future will depend on who has the best intelligence to prevent an attack, and even predict an attack at the brewing stage.
Core to intelligence gathering is also collaboration among companies and countries involved in security. The faster one shares, the greater the chances of preventing or mitigating attacks. “That’s the only way to survive,” Pillai said.
Gangavarapu said India has signed MoUs with CERTs (computer emergency response teams) of many countries for sharing of threat intelligence. “And we have standardised platforms to do so,” he said. India is also part of the Global Ransomware Initiative, another vital collaboration forum.
Raman said Fortinet has built partnerships with CERTs, with Nato, Interpol, and FBI on cybercrime and cyberterrorism. The company, he said, has also built a tech platform called FortiMesh, where it has close to 400 partners, and where it publishes open APIs for any industry to pick the threat intelligence.
Vinayak Godse, senior VP in Data Security Council of India, said platformisation enables each to leverage others’ capabilities. He said it also enables different disciplines – technology, policy, legal – to come together. As Gangavarapu noted, companies like Fortinet may have great products, but they don’t have powers to prosecute; for that they need to work with the government.
Developing cutting edge products, implementing them, building partnerships, providing consulting all require plenty of talent, and that’s another huge focus area now. Godse said some 184 colleges have set up some BTech or MTech programme in cybersecurity. He said the Nasscom Sector Skills Council is also giving specific attention to cybersecurity skills.
Reddy said coding skills are not essential to be in cybersecurity. “Awareness of what could go wrong, awareness of what kind of products are there in the market, awareness of how fast this domain changes, those are all valuable skills. And there are a lot of free courses to learn these skills,” he said.