Preparing to thwart large scale cyberattacks, the Maha way
The government of Maharashtra has conceptualised Maharashtra Cyber Project. It has four major components – technology assisted investigation, CERT-Maharashtra, Big Data Analytics Centre, and capability building module. The first module—technology assisted investigation has been completed and now the state is focusing on second module—CERT-Maharashtra and the Big Data Analytic Centre. In an interview with Mohd Ujaley, Brijesh Singh, Inspector General of Police (Cyber), Government of Maharashtra says, “The country will need modern and scale cyber defence mechanism to thwart large scale cyber-attack. Maharashtra is very cognizant of all these development and we are wanting to develop a good cyber defence infrastructure.”
Maharashtra government has conceptualised Maharashtra Cyber Project. What is the major focus of this project?
The government of Maharashtra has conceptualised Maharashtra Cyber Project. It has four major components – technology assisted investigation, CERT-Maharashtra, Big Data Analytics Centre, and capability building module. We are almost through with the first module that is technology assisted investigation. In fact, Maharashtra happens to be a unique state which has established 44 cyberlabs which also functions as cyber police stations. The cyber police station does not take away the rights of a normal police station to investigate but all the specialised cyber cases would come to cyber police station. These cyber police stations have the state of art tools, technology, equipment and training infrastructure for police personal to help them solve cyber cases in more prompt and efficient way.
We are now focusing on our second module—CERT-Maharashtra and the Big Data Analytic Centre. As far as CERT-Maharashtra is concern, it is a really an ambitious project and need of the hour for the state. Maharashtra being the financial capital of the country, it is constantly under the cyber threat and cyber-attacks. Large banking institutions are also headquartered in Mumbai. S,o we as a state do not want to lose this competitive edge that we have, as you know there are other states who are competing in this space. As a state, if we do not offer them some kind of cyber defence, apart from losing competitive edge, we may find a situation where we are unable to handle if some large scale cyber-attack take place.
Looking at the trend of cyber security attack in 2017, you will find large Distributed Denial of Service (DDoS) attacks are happening across the world. For a service based industry like India, cybersecurity becomes very critical. But our ability to face large scale DDoS attack are slightly limited right now.
In this space one development has taken place is the Mirai Botnet. It has changed the scale by the factor of 100. Earlier, it was rare to find a 6 Gigabits per second (GBPS) attack but with Mirai, you have attacks in Terabits per second (TBPS). So, we will need modern and scale cyber defence mechanism to thwart large scale cyber-attack. Maharashtra is very cognizant of all these development and we are wanting to develop a good cyber defence infrastructure, that is why we have conceptualised Maharashtra Cyber Project.
You mentioned about CERT-Maharashtra, what is your strategy about writing request for proposal (RFP) because most of the things in the cyber world is evolving, that means you need to have a futuristic RFP?
We are floating an expression of interest on a turnkey basis. We are checking solutions of companies and consortia who are major players in the field of IT and cybersecurity. We have deliberately chosen this path because if we go on RFP based with our existing knowledge, we may be missing different things. But with floating expression of interest, best solution and finest companies of the world would come to tell us about different aspect of the project. They may also tell us what is do-able now and what is futuristic. Once, we have the good idea of the terrain, we will come up with the comprehensive RFP and I hope we will be able to design something which will be a next generation and futuristic.
Are you also in touch with other states or other government organisations who have done something significant in the field of cybersecrity?
Yes, we are in touch with Ministry of Electronics and Information Technology (MeitY), Government of India and Indian Computer Emergency Response Team (CERT-In). Both of them are guiding us. In addition, some of the corporate organisation have also come forward to provide their suggestions. They are telling us what is needed and what is available right now in the market. So, there is lot of synergy happening. I feel Maharashtra would take the lead in establishing the modern CERT, which will be very useful for people, government and corporate.
We already have CERT-India, so why Maharashtra has decided to set-up CERT-Maha?
Look, India is growing. The states critical infrastructure is growing. The central body, CERT-India, is doing great job but with the growth, it has been felt that CERT needs to expand itself. That is why under the guidance of CERT-In, the government has asked to form regional CERT and sectorial CERT. So, the regional CERT will be in partnership with CERT-India and it will basically lead to augmentation of the capacity.
Is centre also funding the project?
No, funding is completely from state of Maharashtra but for knowledge sharing we are closely liaising with the centre. MeitY and CERT-In are fully supporting it from policy wise. Both secretary and the minister are very supportive of this project and whatever help Maharashtra needed from Centre in terms of guidance and policy that is being provided by the ministry.
Regional CERT is good idea but what about breach notification, most of the mature market like US and EU have robust guidline, framework or law in place but we don’t have it. What is your view on this?
We are positively moving in that direction. In June 2013, India came up with the cyber security policy of its own. Dr Gulsha Rai, who now heads the cybersecurity in PMO was the instrumental in bringing this policy. Apart from that government is coming up with a cyber infra policy. Even, under IT Act, set of guideline and rules have been laid down for liability and intermediaries. This is something that we learn by doing. We can’t do it by copying the laws and rules which were made in other countries. Recently, RBI has made mandatory to report incidents of cyber breaches. You know, there is a flip side to it too. Once, the breach is reported, the law enforcement agency should have capability to do something about it. It is not there right now but in future we will have something on this. I am sure the rules and guidelines will be drafted which is easy to follow and take care of the interest of both government, people and corporate.
Other than, you know in a democracy, government is run by trust. It is essential to have framework that have trust in the system. You know there is paradox in it. The big IT companies know everything about us. From dark to light but those are not available to government. Government will try to get these data. They will try to collect as much data as they can to protect people. But they need to come up with the guideline or framework which says that they will only use the collected data in the case of national security or in crime cases.