What government’s CISOs think about security in Digital India
The number of e-governance projects have increased under the Digital India programme but the quest for a robust security framework for protecting information and data continues.
By Mohd Ujaley
With the focus on the Digital India programme, the number of e-governance projects have increased across all the government departments. Most of these projects are executed either through tender or public private partnership (PPP) mode. Therefore, it is essential to have proper information security strategy in place to secure the data. And, this is what government’s technology heads are gearing up to safeguard by creating an integrated framework to address the challenge of heterogeneity and complexity in managing cyber security for government projects.
Whether you speak to a government’s security head or a private company’s chief information security officer (CISO), they all believe that the time has come to shift towards a more architectural approach. However, every agency of the government has different vendors and they all invest and spend a lot of energy in figuring out ways to correlate all the threat information promptly to deal with threats. This is why the security vendors are acquiring innovative startup to strengthen their existing security portfolio. Simultaneously, government organisations are focusing on building a security framework to protect data or information collected through government projects, specially e-governance projects, where a service provider or a public–private partnerships is involved. The focus is to create a strategic control within government departments to have sustainable security enforcement.
The need for a security framework
With the success of some of the e-governance projects like passport seva, Aadhar, government has realised that technology can help them in improving governance. And, now the Digital India project is taking these things to the next level by not only focusing on its nine-pillars, but also strengthening the back-end platform and process. Most of the government services are getting digitised. But having achieved these objectives, the government now has to ensure that the information collected remains secure.
“Today the criticality of the information security management has increased with the technology intervention because number of users and flow of data have substantially gone up,” says Rudra Murthy KG, CISO, Digital India, Ministry of Home Affairs (MHA).
Agreeing with the views, Golok Kumar Simli, head – technology, passport seva project, Ministry of External Affairs (MEA), says that the concept of e-governance is made of two interfaces – the citizen interface and the back-end interface. Both of them have to be secured enough to deliver services without any hassle. “I personally feel that the government departments are ready with the security of the back-end interface, but the major challenge is coming from the cyberspace,” he adds.
To fight the challenge, the government has taken number of steps. The MHA has recently issued a National Information Security Policy & Guidelines that could be taken as reference by all the central ministries, state governments and public sector units (PSUs) for developing their own information security and control mechanism. But beyond the guidelines, it is essential that for framing a policy which really serve the purpose, government organisations must understand their requirements, their processes and functions. Along with the policy guidelines, they can refer to standards like ISO 27001, COBIT framework etc.
According to Rudra Murthy, questions such as – what kind of user life-cycle government departments have, what type of user mix they have, what type of data they need, what is the life cycle of the data – must be asked. “They should understand these things before creating the operational model for security control. Then they have to come to the technical control and implementation of this framework,” adds Rudra Murthy.
An ideal cyber security framework is also constrained by the fact that across the world the concept of security is changing. Security is moving beyond firewalls. The old rule of anything inside firewall is good and outside is bad, and network as a perimeter are now diminishing. Organisations are now focusing on continuous monitoring of the cyber infrastructure for predicting things in advance.
Vijay Devnath, general manager (infra & security) & CISO, Centre for Railway information systems (CRIS), says “Ideally, organisations should try to adopt COBIT framework but security does not stop at having the right person and right solution in place. Organisations need to check themselves, how good they are from the day they started. There should be frequent assessment and external audit for ensuring the robust information security management system framework.”
More stakeholders, more risk
In addition to a technology partners for e-governance projects, most of the government departments involve a consultant for the project management. This increases the number of stakeholders and the risk for the data breach. That is why Rudra Murthy of MHA, says that the security measures should be part of the contract itself. Service provider must be completely checked prior to onboarding and they must also be monitored on a continuous basis during the execution. “In addition, government departments need to have complete clarity around intellectual property rights, data protection rights and technology retention rights,” says Rudra Murthy, adding that the controls generally does not need to be only liquidated damage, one should consider proactive, corrective and reactive mechanism.
Simli of MEA, says “Government departments must understand that outsourcing a job to the service partners does not mean outsourcing responsibility.” He gives an example of the passport division that has set rules and regulations for issuing the passport. He asks, “Do you really think that this knowledge of set rules and regulations will come from the private partner?” He says that it has to come from the government side and it is a continuous transformation. “Even for any ICT enablement, the flow and direction must come from the government,” he adds.
Securing the talent
However, the right flow and the direction will come when there is right talent. Therefore, the time has come for the top of the government to scale up, in terms of the human resource talent and its technical expertise to understand the nitty–gritty of the scope of the work given to service provider. This will help them to understand – what is expected during the implementation and how to get the work done within time. Right now, most of these controls are in administrative hands but ideally it should be taken care by a technical person. But very few talented person are interested in working under the programme management unit (PMU) set-up due to unpredictable future and weak appraisal system.
“The major problem with a PMU set-up is that the employee is hired on a contract basis without any assurance of contract renewal. Even if somebody joins, they keep on looking for permanent opportunities,” says Simli. According to Rudra Murthy, “This could be addressed when the talent becomes part of the government itself.”
Awareness is the silver bullet
Above all the challenges, the good news is that in recent past, the awareness about cyber security has increased. Everybody, be it political leaders, bureaucrats, RBI, SEBI or corporate, are talking about it. Thanks to some of the notable data breaches and Edward Joseph Snowden, whose disclosure on numerous global surveillance programs run by different governments has led to an intense debate on data security and privacy, which has finally catalysed the concept of data localisation, leading to different government departments taking steps to beef-up their cyber security mechanism. “The awareness level has increased but on the technical front, lot of maturity is needed,” says Rajiv Prakash Saxena, ex-deputy director general, National Informatics Centre (NIC).
Agreeing with Saxena, Simli, says “Awareness is key but we also need a robust security layer for critical projects. We are currently dependent on the third party service providers for security solutions. Sooner or later, we should have our own indigenous security products in our security layer, else the quest for silver bullet will continue.”