Workshop onManaging Risks in an Interdependent Economy

Risks related to Cyberspace

Som Mittal Former President & Chairman, NASSCOM, India

Sept 27 , 2014

A Global and Interdependent World

Digital Connectivity Growing Rapidly

3Source: Open.edu

Every Advancement brings New Risks

Advancements Associated Risks

Increased air travel / Commutation

Nuclear Plants

Seamless communication and

interconnected devices

Digital Age

Accidents & Disasters , Pollution

Contamination / Nuclear Weapons

Increased global risks

Cyber crimes / warfare

The only solution is to find ways to mitigate

Global Risk Landscape – Systemic Risks

Economic Risks

Source: World Economic Forum Global Risk Report 2014

Cybersecurity.mp4

Courtesy: Microsoft – Europe

Societal Risks

Geopolitical Risks Environmental Risks

Technological Risks

Source: WEF

Global Risk Landscape – Impact & likelihood

Critical info Loss

Cyber frauds

Cyber attacks

Major Global Risks 2014

Likelihood Impact

Source: World Economic Forum Global Risk Report 2014

Income Disparity

Extreme weather events

Unemployment & Underemployment

Climate change

Cyber attacks

Climate change

Fiscal crisis

Water Crises

Critical information Infra Breakdown

Unemployment & Underemployment

Cyber Risks in the Fifth Domain

Ever Expanding ~ ( IoT, SMAC)

Vulnerabilities in all platforms Knowledge about vulnerabilities available openly

Attacks from anywhere; cheap to launch Defense expensive;

Attribution difficult

Everything that is connected to the Internet can be hacked, and everything is being connected to the Internet - Rod Beckstrom, former president, ICANN

Offense dominant Global commons

8

Cyber Risks are Real and Happening Today

Cybercrimes

Cyber attacks

Cyber espionage

Cyber warfare

Harmful Content

• Economic, military ,state secrets theft on rise, Annual loss of IPR is over $ 1 trillion

• US government filed case against 5 Chinese army personnel for stealing trade secrets of large US companies

• Cyber attacks on Estonia, Georgia, South Korea and others• Non-state actors used for specific aims, Global crime syndicates etc • Nation-states developing offensive capabilities, Stuxnet , Flame etc

• Used for demagoguery, - fight against states on issues, even organize revolutions - Arab Spring

• Mass migration of people from the south to the northeast of India, London riots

• Financial frauds, identity thefts, copyright and trademark violations• McAfee estimates cybercrimes costs businesses $ 400 billion worldwide

•NASA, RSA,CIA, Sony, Lockheed, Pentagon, Google,Citigroup attacked •Target; 1.2 bn usernames and passwords stole•Cyber attacks on critical information infrastructure e.g. Stuxnet infections

• CSIS puts the annual global cost of digital crime and Intellectual property theft at $445 billion

• Corporates spent $67 billion on information security last year .

• Destruction in 2010 of centrifuges at a nuclear facility in Iran by Stuxnet and the one in 2012 dealing with virus known as Shamoon.

• Last year over 800m records lost . Most prominent Target, whose CEO, Gregg Steinhafel quit in may . Adobe and eBay also hit

• Barack Obama, accepted that cyberthreats “pose one of the gravest national-security dangers” the country is facing.

Source: The Economist

Cyber Risks are Expensive

Cyber Risks cause Reputational Damage

Recent iCloud cyber attack leaked nude photos of more than 100 celebrities -- Jennifer Lawrence, Kate Upton, Ariana Grande and Victoria Justice, to name a few .

iCloud Hacked

Target to book $148 million in data breach expenses

Cisco CEO writes letter to Obama asking him to stop the NSA hacking into his equipment

Cyber attack on EBay compromised customer data, and the company urged 145 million users to change their passwords.

Adobe hack attack affected 38 million accounts.

Hacking group Rex Mundi held Domino’s Pizza to ransom over 600,000 Belgian and French customer records demanding $40,000 in return.

Politicization of Cyberspace – Strategic Issues Internet Governance

Strategic advantage of few countries controlling Data

Control of critical Internet resources

Rise of powerful transnational institutions - new models of governance?

Debate on human rights and freedom of expression versus content control

Cyber Security / National Security

Vulnerabilities in critical national assets; Impact on National Security

ICT Supply Chain Risks; interference in ICT supply chains; backdoors

Localization of ICT Infrastructure for national security and privacy protection reasons

120+ military intelligence agencies believed to be developing offensive cyber capabilities

Shortage of security talent; lack of capacity building efforts

Lack of information sharing - government to business and business to business

Lack of global cooperation; Existing instruments not effective

Privacy

Surveillance by foreign governments

Restrictions on trans-border data flows for privacy protection

These have to be addressed

How do we mitigate these risks ?

This has to be done at multiple levels

• Individual

• Technology users

• Technology providers

• Government

• Global cooperation

Cyber Security – Individual Role

• Poor awareness of risks, legal rights and legal obligations

• Non Seriousness

• Behavioral Inconsistencies

• Poor spending on genuine software, security solutions

Issues & Challenges Possible Solutions

• Being vigilant; Take the threats seriously; Follow guidelines

• Make investments to buy genuine software and security solutions

• Be aware of legal rights and obligations

14

Cyber Security – Role of User Industry

• Security not priority in procurement

• Lack of understanding of issues and management support

• Compliance driven approach & practices; Security treated as a cost center

• Non seriousness of employees

• Lack of Information sharing with peers and government/regulator

Issues and Challenges Possible Solutions

• Focusing on ICT Supply Chain practices across the product or service lifecycle; demanding security

• Making security as a Board agenda; Treating security as a business enabler

• Taking risk based approach to security

• Establishing ownership and accountability of stakeholders

• Continuous efforts to make employees aware on their role and risks

• Creation of institutional mechanisms for industry level information sharing

15

Cyber Security – Role of Technology Providers

• Few companies proactive in embedding security in design – investments in secure code development missing

• Demand based security instead of being a hygiene / assurance factor

• Lack of focus on threat intelligence and vulnerability management

• Shortage of security talent

Issues and Challenges Possible Solutions

• Implement ICT Supply Chain standards and best practices; Deploy secure coding practices

• Treat security as on ongoing activity rather a one time implementation

• Invest in threat intelligence and vulnerability management capabilities

• Invest in capacity building

16

Issues and Challenges

• Absence of a comprehensive framework to deal with cyber security

• Role of government in cyber security not clear – regulation v/s market driven; PPP?

• Lack of capabilities and skills

- Absence of intelligence and information sharing mechanism.

- Lack of training and knowledge available to LEA and judiciary

Cyber Security – Government

Possible Solutions• Recognize cyber security as a

strategic domain of national security; Implement a robust national cyber security framework driven by a national cyber security structure

• Define and leverage PPP models

• Promote research & development, innovation, investments and entrepreneurship

• Focus on building capabilities and skills – create CoEs, institutions, platforms, etc

Issues and Challenges

• Lack of International cooperation & norms to address cyber security requirements

• Absence of international cooperation across jurisdictions to track cyber criminals

• Existing instruments (e.g. Budapest convention, MLATs, not effective)

Cyber Security – Global Cooperation

Possible Solutions

• Development of acceptable global norms

• International Clearing House for critical infrastructure information

• Early Watch and Warning Global System

• Review existing int’l instruments to make them relevant; increase acceptance esp. in developing countries

Thank You

19

20

Cybersecurity - A Global Problem - Needs Collaboration at all ends

National Nodal Centres on information infrastructure in Public-Private-Partnership (PPP) Mode should cooperate

Global Service Providers to cooperate with LEA in all countries and respond to their requests for investigations

CERTs to exchange threats and vulnerabilities data in an open way to build an Early Watch and Warning System

Incident Management: Information sharing among agencies on incidents - to build an International Incident Response System

Critical Infrastructure Protection An international Clearing House for Critical Infrastructure Protection – to share threats, vulnerabilities, attack vectors

Sharing and deployment of security best practices for cybersecurity

Acceptable legal norms for dealing with cyber crimes regarding territorial jurisdiction, sovereign responsibility, and use of force; investigation and prosecution of cyber crimes; data preservation, protection, and privacy.; and address enforcement provisions in the current cyber laws.

Implementation of reasonable security practices; privacy protection; incident response; transnational cooperation.

Law Enforcement Agencies (LEA): Investigation of cases, collection of forensics evidence at the behest of other countries, conducting trial of elements involved in cyber criminal gangs to bring them to justice

Cyber Security

Risks

Political

Military

Societal

Legal

Economic

Business

Securitization of Cyberspace – Relevant Risks

Computer Security Cyber Security National Security