The Hindu : Private sector's role in information security

Online edition of India's National Newspaper
Wednesday, May 03, 2000

Front Page \| National \| International \| Regional \| Opinion \| Business \| Sport \| Science & Tech \| Miscellaneous \| Features \| Classifieds \| Employment \| Index \| Home

Business \| Previous \| Next Private sector's role in information security THE PHENOMENAL growth of the communication network, in particular the Internet, has really turned geography into history worldwide. From 1.3 million hosts in 1993, the Internet at the beginning of the millennium consisted of countless autonomous networks with 72.4 million hosts in seven generic and 228 country and territory domains. According to Mr. Rutkowski of the Centre for Next Generation Internet @ www.ngi.org/trends-200002/index.htm the current annual growth rate of Internet stands at 63 per cent. Based on this growth rate, the 100 million-host level will be reached in the last quarter of 2000 and the one billion by the middle of 2005. As of January 2000, with a population of about 66 million hosts in three and two-letter domains hosted on servers located within the country, the U.S. has the highest host site density in the world. Close home, China has an impressive performance with a four-fold increase to 72,000 hosts by January when compared to the number in January 1999. India's performance showed a two-fold increase to 23,000 hosts during the same period. Thus, it is becoming abundantly clear that societies will become increasingly dependent on such information technologies as Internet and world wide web. heralding the arrival of the information age. This dependence will extend to vital civilian sectors as communications, air/rail networks, banks and to key strategic and defence fields. Indian scenario In India, it is estimated that e-commerce will play an increasingly important role in business as it has already begun to do in developed countries. Initiatives such as Sankhya Vahini network will provide a high-bandwidth backbone to the whole country, while the proposed Vidhya Vahini network will cater to the ``last mile'' problem and enable educational and R&D institutions to access this high-bandwidth backbone. With the liberalisation of ISP (Internet Service Provider) policy whereby private ISPs are now allowed to set up their own gateways, Internet connectivity will increase from about 130 mbps at present to 3 Gbps in a year. Coupled with a growth rate for hosts of about 70 per cent, the dependence on Internet is expected to be overwhelming. Further, it has been generally observed worldwide that the growth of Internet access and intranets is closely related to economic growth. With India integrating itself with the world economy through the World Trade Organisation, the need for embracing globalisation and economic liberalisation is felt more now than ever before. There is no better medium of communication with the world than the Internet and a networked ambience. Threat to information Every revolution in the system for creating wealth triggers a corresponding revolution in the system for making war. The information revolution is no exception. With knowledge becoming one of the powerful resources for an enterprise and the Internet providing a conduit for transfer of knowledge and therefore wealth, this very same medium has also become a conduit for attack by terrorist, anti-social and anti-national elements. Recent denial-of-service attacks on several well-known websites such as yahoo.com, buy.com amazon.com in the U.S. and more serious break-ins into several India web sites like BARC mail server, DOE web server and the Indian Science Congress web server should alert Indian infotech firms to the perils of e-vandalism and cybersabotage. In the Indian context, the nature of targets as also the origin of attacks lead one to conclude the malafide intention of the intruders, to build up capabilities for disrupting the economy. While hackers have managed to penetrate many sensitive websites and computer networks in the U.S. Indian institutions and corporates have only recently begun to realise their vulnerability. As the countries dependence on computer networks and the Internet continues to grow, the relative ease with which hackers are able to penetrate Indian networks and sites to unleash cyberterrorism, will cease to be a matter of nuisance for individual victims alone and will pose a threat to the stability of the entire economy. Moreover, the fact that the same network can be used by a person to launch attacks on an organisational network from virtually anywhere in the world through a simple telephone line opens up new avenues for cybercrimes. Thus cybercrimes transcend geographical boundaries and are wholly independent of military interventions. According to a recently released report of the Central Intelligence Agency (U.S.), hostile neighbours are choosing cyber warfare as a cheaper option to attack Indian society than the law intensity conflicts currently being waged. Though the open standards of the network protocols and the UNIX operating system have now become the caveats that are exploited to its fullest extent by the hackers, fortunately these very same standards allow quite customer-specific secure configurations buildable. Further, the lack of concern in certain cases from the software vendors and the system and network administrators has further helped the cause of the hackers. Thus, at present, Indian industry, commerce, trade and government agencies are not geared to deal with these challenges thrown up by the massive increase in connectivity. However, they have no alternative but to be prepared in the emerging Internet age. Information security With society, commerce, military and governance increasingly dependent on a networked open environment, it is of paramount importance to safeguard and protect information and ensure its safety during transfer from unwanted and potentially dangerous intruders. For example, trillions of dollars in financial transactions and commerce move over this medium with minimal protection. With increasing quantities of intellectual property rights flowing through networked systems, opportunities are aplenty to disrupt commercial and military effectiveness along with public safety while maintaining the element of surprise and anonymity. While at present business-to-business sites are reasonably secure though still vulnerable, business-to-consumer sites are virtually unprotected. This hampers the growth of e-commerce as customers are leery of parting with confidential data such as credit card numbers. Recent incidences of hacking and the threat these pose to corporates and government agencies present a great business opportunity for the IT industry, just as much as devising solutions to Y2K problems did. It is therefore imperative for Indian software houses to recognise the breadth and depth of challenges thrown up by massive expansion of Internet and networked architecture and convert these challenges to opportunities for generating wealth. This calls for generation of technologies for network protection, secure data storage and intrusion-proof information transfer within and between networks. While some of these technologies are available commercially around the world, it must be understood that not all of them are available freely. A case in point is the control on the sale of encryption products based on the level of protection it gives for the information that needs protection. A level that prevents security agencies of countries where these technologies are developed, from decrypting information flowing through these products is almost always denied for sale to most countries outside the country of origin of technology. It is in this context that Indian companies and software houses must rise to fully utilise their software strengths to provide network protection solutions to guarantee economic security and therefore national security. Technologies Given the emerging environment, the vulnerability of the networked architecture in place and inadequate protection of information available to business and government, it is imperative that technologies to combat such challenges have to be acquired and installed. These are broadly classified under surveillance and protection technologies. The specific technologies that would be needed for ensuring information security are briefly explained in the succeeding paragraphs. Surveillance technologies Surveillance of the network is an important function towards being vigilant against intruders. An Intrusion Detection System (IDS) continuously monitors activity on the organisational network and alerts the administrator in case some suspicious activity is registered. An advanced IDS also `learns from the experience' about the signatures of the sophisticated attacks and differentiates between a valid network request and the precursors of a potential attack. Such advanced IDS like network intrusion detector developed by the Department of Energy in the U.S. are protected by the export control laws from being installed outside U.S. government agencies. Another system is the automatic network discovery, management and monitoring system, which is capable of mapping the network. This capability enables collection of instantaneous network statistics from all the computers and affords the network system administration of trusted hosts. With the convergence of telephone and Internet, voice over the data network will dominate the Indian scene soon. This calls for a complete re-look of the conventional monitoring mechanism established over the years to protect business and government interests alike. Monitoring of such voice over IP traffic for speech identification and analysis would be a major technology to be acquired. Protection technologies A secure communication consists of two parts, namely, ensuring the security of the network itself and ensuring security of the data on the network. The first is usually addressed by software packages popularly known as `Firewalls', whereas encrypting the individual packets during transmission ensures the second aspect. The next generation Internet Protocols (known as IPV6) will incorporate a more advanced security standard called IP Sec. Though still at a development stage, the so-called Virtual Private Networks (VPN) are an attempt to put in place the IP Sec protocol. Similarly a number of technologies and activities are needed to defend against information warfare. At the very outset, there is an urgent need to create a map of all Internet nodes with a view to seeing if they manifest any vulnerabilities and issuing appropriate alerts. The objective of this activity is to ensure that nodes do not become vulnerable owing to negligence on the part of the local network or system administrator. Creation of data base of `patches' to commercial software issued by software vendors from time to time and data base of anti-virus software that hits the market will have to be created and constantly updated in a format that can be easily accessed on-line. Lead by private sector As explained in detail earlier, the growth of host sites in India is rapid and majority of these sites are put up by the private sector. As these sites grow in number even more rapidly and are used extensively for e-commerce in the near future, the vulnerability of these sites to attacks as also the security of information and knowledge either resident or flowing through these sites, become extremely significant factors that cannot be left to chance. The solutions to these problems are found mostly in developing high-end software and a few items of hardware. The advantage of the availability of high-quality software engineers within the country and the world leadership achieved by our software industry therefore makes Indian software houses uniquely positioned to gainfully utilise their software strength to provide network and information protection solutions to guarantee the needed information security. In addition, the private sector offers the following major advantages when compared to the government sector. Flexibility of hiring: A private sector firm can put a qualified team in place to work on technology solutions far more quickly than the government sector, as the former can afford flexible hiring practices and package. At the same time, as the requirement changes, a private sector firm will be able to adapt and adjust its manpower to the changed scenario, which will be difficult in a government sector. Retention of key individuals: The key to developing world-class software-based security solutions is the ability of firms to retain manpower. By paying industrially competitive salary packages, perks and even equity options, private sector firms are in a better position to provide continuity of key persons and experienced professionals involved in projects that is not possible in a government sector. Good software practices: The market compulsions in the private sector are much stronger and have more implications for delivery schedules and cost/time overruns than in similar government projects. Therefore, it is common for software developers in the private sector to follow better software engineering practices. Because of these reasons Indian software houses today are experienced in designing, delivering and commissioning some extremely large software packages. For instance, the software that runs the Zurich Stock Exchanges has been designed and developed by an Indian firm spending 500 man-years. Further, several Indian software units now have CMM Level 5 certification, which is the highest to which a company can aspire. As the complexity of the Indian networked community increases, it will become even more important that sound practices be followed. Marketing and after-sales support: Though just five years old, e- commerce is perceived by many to be a prime driver of global business in the foreseeable future. According to one estimate, the turnover through e-commerce doubles every year on an average. From about $40 billion in 1999, the turnover is expected to touch $1.4 trillion by 2004. In India, the current turnover through e- business is about Rs. 300 crores which is expected to reach Rs. 3,000 crores by 2004. With such large-scale expansion of e- commerce today, information security is of equal concern to the private sector as it is to the government sector. In the backdrop of several large Indian industrial houses announcing their plans to plunge into fully integrated e- business, it has become imperative that while constantly introducing innovative products into the market, adequately efficient after-sales support needs to be made available. In this respect, government sectors are strikingly disadvantaged. The unprecedented growth of Internet, computer networks and the rapid expansion of e-business taking place world over have intensely affected the way business and commerce are done in India. This has resulted in growing dependence on information technologies. Ushering in of the information age in India is fraught with concerns on the security of especially Intellectual Property Rights (IPR)-laden information and computer networks on a scale never seen before. With the private sector propelling the growth of IT the world over and therefore in India, issues such as information and network security are of greater concern to the private sector than to the government sector. Thus the time is just ripe to encourage large-scale investments in security technologies by the private sector with the Government playing a catalytic role on national security considerations. M. S. Vijayaraghavan Director (Technology Interface), Office of Secretary, Dept. of Defence R & D, New Delhi The views expressed by the author are his own and do not reflect/represent the views of the Government. Send this article to Friends by E-Mail
Section : Business Previous : Quality circles tapped by auto sector Next : Emergence of India as knowledge superpower: some issues
Front Page \| National \| International \| Regional \| Opinion \| Business \| Sport \| Science & Tech \| Miscellaneous \| Features \| Classifieds \| Employment \| Index \| Home
Copyright © 2000 The Hindu Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu

Front Page \| National \| International \| Regional \| Opinion \| Business \| Sport \| Science & Tech \| Miscellaneous \| Features \| Classifieds \| Employment \| Index \| Home

Business \| Previous \| Next Private sector's role in information security THE PHENOMENAL growth of the communication network, in particular the Internet, has really turned geography into history worldwide. From 1.3 million hosts in 1993, the Internet at the beginning of the millennium consisted of countless autonomous networks with 72.4 million hosts in seven generic and 228 country and territory domains. According to Mr. Rutkowski of the Centre for Next Generation Internet @ www.ngi.org/trends-200002/index.htm the current annual growth rate of Internet stands at 63 per cent. Based on this growth rate, the 100 million-host level will be reached in the last quarter of 2000 and the one billion by the middle of 2005. As of January 2000, with a population of about 66 million hosts in three and two-letter domains hosted on servers located within the country, the U.S. has the highest host site density in the world. Close home, China has an impressive performance with a four-fold increase to 72,000 hosts by January when compared to the number in January 1999. India's performance showed a two-fold increase to 23,000 hosts during the same period. Thus, it is becoming abundantly clear that societies will become increasingly dependent on such information technologies as Internet and world wide web. heralding the arrival of the information age. This dependence will extend to vital civilian sectors as communications, air/rail networks, banks and to key strategic and defence fields. Indian scenario In India, it is estimated that e-commerce will play an increasingly important role in business as it has already begun to do in developed countries. Initiatives such as Sankhya Vahini network will provide a high-bandwidth backbone to the whole country, while the proposed Vidhya Vahini network will cater to the ``last mile'' problem and enable educational and R&D institutions to access this high-bandwidth backbone. With the liberalisation of ISP (Internet Service Provider) policy whereby private ISPs are now allowed to set up their own gateways, Internet connectivity will increase from about 130 mbps at present to 3 Gbps in a year. Coupled with a growth rate for hosts of about 70 per cent, the dependence on Internet is expected to be overwhelming. Further, it has been generally observed worldwide that the growth of Internet access and intranets is closely related to economic growth. With India integrating itself with the world economy through the World Trade Organisation, the need for embracing globalisation and economic liberalisation is felt more now than ever before. There is no better medium of communication with the world than the Internet and a networked ambience. Threat to information Every revolution in the system for creating wealth triggers a corresponding revolution in the system for making war. The information revolution is no exception. With knowledge becoming one of the powerful resources for an enterprise and the Internet providing a conduit for transfer of knowledge and therefore wealth, this very same medium has also become a conduit for attack by terrorist, anti-social and anti-national elements. Recent denial-of-service attacks on several well-known websites such as yahoo.com, buy.com amazon.com in the U.S. and more serious break-ins into several India web sites like BARC mail server, DOE web server and the Indian Science Congress web server should alert Indian infotech firms to the perils of e-vandalism and cybersabotage. In the Indian context, the nature of targets as also the origin of attacks lead one to conclude the malafide intention of the intruders, to build up capabilities for disrupting the economy. While hackers have managed to penetrate many sensitive websites and computer networks in the U.S. Indian institutions and corporates have only recently begun to realise their vulnerability. As the countries dependence on computer networks and the Internet continues to grow, the relative ease with which hackers are able to penetrate Indian networks and sites to unleash cyberterrorism, will cease to be a matter of nuisance for individual victims alone and will pose a threat to the stability of the entire economy. Moreover, the fact that the same network can be used by a person to launch attacks on an organisational network from virtually anywhere in the world through a simple telephone line opens up new avenues for cybercrimes. Thus cybercrimes transcend geographical boundaries and are wholly independent of military interventions. According to a recently released report of the Central Intelligence Agency (U.S.), hostile neighbours are choosing cyber warfare as a cheaper option to attack Indian society than the law intensity conflicts currently being waged. Though the open standards of the network protocols and the UNIX operating system have now become the caveats that are exploited to its fullest extent by the hackers, fortunately these very same standards allow quite customer-specific secure configurations buildable. Further, the lack of concern in certain cases from the software vendors and the system and network administrators has further helped the cause of the hackers. Thus, at present, Indian industry, commerce, trade and government agencies are not geared to deal with these challenges thrown up by the massive increase in connectivity. However, they have no alternative but to be prepared in the emerging Internet age. Information security With society, commerce, military and governance increasingly dependent on a networked open environment, it is of paramount importance to safeguard and protect information and ensure its safety during transfer from unwanted and potentially dangerous intruders. For example, trillions of dollars in financial transactions and commerce move over this medium with minimal protection. With increasing quantities of intellectual property rights flowing through networked systems, opportunities are aplenty to disrupt commercial and military effectiveness along with public safety while maintaining the element of surprise and anonymity. While at present business-to-business sites are reasonably secure though still vulnerable, business-to-consumer sites are virtually unprotected. This hampers the growth of e-commerce as customers are leery of parting with confidential data such as credit card numbers. Recent incidences of hacking and the threat these pose to corporates and government agencies present a great business opportunity for the IT industry, just as much as devising solutions to Y2K problems did. It is therefore imperative for Indian software houses to recognise the breadth and depth of challenges thrown up by massive expansion of Internet and networked architecture and convert these challenges to opportunities for generating wealth. This calls for generation of technologies for network protection, secure data storage and intrusion-proof information transfer within and between networks. While some of these technologies are available commercially around the world, it must be understood that not all of them are available freely. A case in point is the control on the sale of encryption products based on the level of protection it gives for the information that needs protection. A level that prevents security agencies of countries where these technologies are developed, from decrypting information flowing through these products is almost always denied for sale to most countries outside the country of origin of technology. It is in this context that Indian companies and software houses must rise to fully utilise their software strengths to provide network protection solutions to guarantee economic security and therefore national security. Technologies Given the emerging environment, the vulnerability of the networked architecture in place and inadequate protection of information available to business and government, it is imperative that technologies to combat such challenges have to be acquired and installed. These are broadly classified under surveillance and protection technologies. The specific technologies that would be needed for ensuring information security are briefly explained in the succeeding paragraphs. Surveillance technologies Surveillance of the network is an important function towards being vigilant against intruders. An Intrusion Detection System (IDS) continuously monitors activity on the organisational network and alerts the administrator in case some suspicious activity is registered. An advanced IDS also `learns from the experience' about the signatures of the sophisticated attacks and differentiates between a valid network request and the precursors of a potential attack. Such advanced IDS like network intrusion detector developed by the Department of Energy in the U.S. are protected by the export control laws from being installed outside U.S. government agencies. Another system is the automatic network discovery, management and monitoring system, which is capable of mapping the network. This capability enables collection of instantaneous network statistics from all the computers and affords the network system administration of trusted hosts. With the convergence of telephone and Internet, voice over the data network will dominate the Indian scene soon. This calls for a complete re-look of the conventional monitoring mechanism established over the years to protect business and government interests alike. Monitoring of such voice over IP traffic for speech identification and analysis would be a major technology to be acquired. Protection technologies A secure communication consists of two parts, namely, ensuring the security of the network itself and ensuring security of the data on the network. The first is usually addressed by software packages popularly known as `Firewalls', whereas encrypting the individual packets during transmission ensures the second aspect. The next generation Internet Protocols (known as IPV6) will incorporate a more advanced security standard called IP Sec. Though still at a development stage, the so-called Virtual Private Networks (VPN) are an attempt to put in place the IP Sec protocol. Similarly a number of technologies and activities are needed to defend against information warfare. At the very outset, there is an urgent need to create a map of all Internet nodes with a view to seeing if they manifest any vulnerabilities and issuing appropriate alerts. The objective of this activity is to ensure that nodes do not become vulnerable owing to negligence on the part of the local network or system administrator. Creation of data base of `patches' to commercial software issued by software vendors from time to time and data base of anti-virus software that hits the market will have to be created and constantly updated in a format that can be easily accessed on-line. Lead by private sector As explained in detail earlier, the growth of host sites in India is rapid and majority of these sites are put up by the private sector. As these sites grow in number even more rapidly and are used extensively for e-commerce in the near future, the vulnerability of these sites to attacks as also the security of information and knowledge either resident or flowing through these sites, become extremely significant factors that cannot be left to chance. The solutions to these problems are found mostly in developing high-end software and a few items of hardware. The advantage of the availability of high-quality software engineers within the country and the world leadership achieved by our software industry therefore makes Indian software houses uniquely positioned to gainfully utilise their software strength to provide network and information protection solutions to guarantee the needed information security. In addition, the private sector offers the following major advantages when compared to the government sector. Flexibility of hiring: A private sector firm can put a qualified team in place to work on technology solutions far more quickly than the government sector, as the former can afford flexible hiring practices and package. At the same time, as the requirement changes, a private sector firm will be able to adapt and adjust its manpower to the changed scenario, which will be difficult in a government sector. Retention of key individuals: The key to developing world-class software-based security solutions is the ability of firms to retain manpower. By paying industrially competitive salary packages, perks and even equity options, private sector firms are in a better position to provide continuity of key persons and experienced professionals involved in projects that is not possible in a government sector. Good software practices: The market compulsions in the private sector are much stronger and have more implications for delivery schedules and cost/time overruns than in similar government projects. Therefore, it is common for software developers in the private sector to follow better software engineering practices. Because of these reasons Indian software houses today are experienced in designing, delivering and commissioning some extremely large software packages. For instance, the software that runs the Zurich Stock Exchanges has been designed and developed by an Indian firm spending 500 man-years. Further, several Indian software units now have CMM Level 5 certification, which is the highest to which a company can aspire. As the complexity of the Indian networked community increases, it will become even more important that sound practices be followed. Marketing and after-sales support: Though just five years old, e- commerce is perceived by many to be a prime driver of global business in the foreseeable future. According to one estimate, the turnover through e-commerce doubles every year on an average. From about $40 billion in 1999, the turnover is expected to touch $1.4 trillion by 2004. In India, the current turnover through e- business is about Rs. 300 crores which is expected to reach Rs. 3,000 crores by 2004. With such large-scale expansion of e- commerce today, information security is of equal concern to the private sector as it is to the government sector. In the backdrop of several large Indian industrial houses announcing their plans to plunge into fully integrated e- business, it has become imperative that while constantly introducing innovative products into the market, adequately efficient after-sales support needs to be made available. In this respect, government sectors are strikingly disadvantaged. The unprecedented growth of Internet, computer networks and the rapid expansion of e-business taking place world over have intensely affected the way business and commerce are done in India. This has resulted in growing dependence on information technologies. Ushering in of the information age in India is fraught with concerns on the security of especially Intellectual Property Rights (IPR)-laden information and computer networks on a scale never seen before. With the private sector propelling the growth of IT the world over and therefore in India, issues such as information and network security are of greater concern to the private sector than to the government sector. Thus the time is just ripe to encourage large-scale investments in security technologies by the private sector with the Government playing a catalytic role on national security considerations. M. S. Vijayaraghavan Director (Technology Interface), Office of Secretary, Dept. of Defence R & D, New Delhi The views expressed by the author are his own and do not reflect/represent the views of the Government. Send this article to Friends by E-Mail
Section : Business Previous : Quality circles tapped by auto sector Next : Emergence of India as knowledge superpower: some issues
Front Page \| National \| International \| Regional \| Opinion \| Business \| Sport \| Science & Tech \| Miscellaneous \| Features \| Classifieds \| Employment \| Index \| Home
Copyright © 2000 The Hindu Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu