With cyber threats becoming more sophisticated, the Indian government's efforts at countering them must allow for a larger private sector role.

In the current networked environment, ICT (Information and Communications Technology) forms the backbone of any nation's critical infrastructure. Vital services such as power and water supply systems, telecommunications, banking and finance, emergency and rescue services, transportation and even most defence systems have come to be almost completely dependent on ICT infrastructure. Many of these services also have web interfaces. A cyber attack on any of these sensitive networks could lead to the loss - or manipulation - of sensitive data, or the temporary unavailability of critical infrastructure that could trigger nation-wide crises.

According to estimates, one-in-five critical infrastructure entities across the world reported being the victim of cyberattacks or threatened cyber-attack over the past two years. Some believe the actual figure may be higher. Most cases go unpublicised or unreported, due to reputational and other concerns on the part of victims. And 'victimisation' rates were highest in the power (27 per cent) and oil and gas (31 per cent) sectors, both of which form key components of critical infrastructure for any nation.
Sadly, terrorists and various enemy nations have zoned in on this linkage too, and have added cyber warfare to their arsenals. Advanced technology is increasingly used for recruitment, money laundering, networking and coordinating dispersal activities by 'cyber terrorists', who also take advantage of vulnerabilities in all existing technologies to target government networks and websites to promote their causes.

It is quite evident that governments have also adopted some of these methods now. The Flame, Stuxnet and Duqu malware programs are now widely presumed to be developed by nations to target other nations. The sophistication and ingenuity of these kinds of threats are only going to improve, as many of these efforts will be state funded and will make use of the best brains available. In fact, these attacks need to be put into clear perspective when planning next steps that governments need to take to ensure that future cyber wars are rendered ineffective at best.

This calls for a multi-faceted approach, especially in India. We also perhaps need to take a few pointers from other nations. The US government, for instance, drew up and released more than 300 regulations to handle homeland security and its 'war against terror'. All of these were released between between 9/11 and the March 2004 train attacks in Madrid. The US government also ensured proper implementation and compliance. Before setting out on our own path to fighting such threats, we need to look inward first, as problems abound in this sphere in India.

We are flooded with multiple guidelines for IT security from various regulators, for one. And the implementation of these guidelines is an area of weakness, largely because the interpretation of these guidelines is often open-ended. In most cases, the regulator needs only a certificate of compliance at a specified periodic interval. And sadly, this certificate of compliance is given without a thorough check of the controls put in place. This has to change.

Regulatory agencies must look to enforce proper implementation of guidelines and ensure stringent audit mechanisms to identify weaknesses. This must then be followed up with additional checks to ensure compliance. But, admittedly, this might be an uphill task for our regulators. One possible solution, which should be examined seriously, is to outsource this process to carefully chosen companies.

Cyber terrorism is another ballgame. While the government has been making continuous efforts to enhance its preparedness to counter various security threats, the management of the cyber security situation cannot be left to the police or the government alone. We must look at Public Private Partnerships (PPP). They can help by building, managing and better maintaining layers of defences in networked IT and communication systems, and also provide real-time security management. However, to make this happen, the government must come up with clear regulations that will provide a level playing field to corporations.

Most importantly, it must also set clear accountability standards for such partners. Well designed PPP models would allow many Indian corporates the opportunity to build sustainable revenue models for capability and infrastructure deployment to help safeguard our security. Till we take steps in these directions, creating a robust defence mechanism against cyber terrorism will remain a mirage.