>
industry perspective
Protecting Critical Infrastructure
“We see India as a key developing area for Critical Infrastructure Protection (CIP). There is a lot of scope for leadership. Some of the work that is done in India is very encouraging from the development perspective�, says Jerry Cochran, Senior Security Strategist, Microsoft Corporation 16 }
w w w.egovonline.net
ov
You lead Microsoft’s efforts for Critical Infrastructure Protection (CIP) and cyber security exercise at various levels. Please elaborate upon the need for protecting the Critical Infrastructure. National security, economic security and public health safety are the major areas which come under the purview of Critical Infrastructure Protection (CIP). The Government typically organises these sectors into silos of activities such as the energy, transportation, banking and finance sector, and all of these undertake activities to protect that Critical Infrastructure. However, it is important to separate Critical Information Infrastructure (CII) and to differentiate it from Critical Infrastructure, as CII encompasses information and communication technology assets, that cut across all sectors. Whether you are in the banking or finance or oil and natural gas sector, you are dependent upon the telecom and IT products to run that infrastructure. So when we are talking about CII, we are talking about protecting those cross-cutting interdependencies. When we talk about cyber security it directly applies to that, because they are pieces of infrastructure that are dependent, they have IT infrastructure that is cross-cutting. It is important to note that IT and communication has a very virtual and logical identity, they are not a set of physical assets. Therefore, they can not be organised into silos and we need to see what each of these are, and approach them from the IT and communication perspective. In India we see that the Critical Infrastructure is gradually moving into the private hands. There are two ways – first of all, the government itself wants the private sector to make more and more investments. Secondly, the government is privatising its own state owned enterprises either partially or fully. Your comments. In every country in the world, what we have observed is that there are different drivers of the government and the private sector – operators and owners that impact upon the policy and regulation. There are different regimes in different parts of the world. For example in the United States about 85% of the Critical Infrastructure is owned by the private sector. If you take another country like Australia, most of the Critical
ov
April 2008
Infrastructure is owned by the government. In Norway, almost 99% of the Critical Infrastructure is owned by the government too. Therefore, they do not have to deal much with the private sector. In India, it is seen that there is a combination of the public and the private. The government’s focus is on what are its core competencies and create and provide opportunities for the private sector. The government should invest in what they are best at and create incentives for the private sector. In every country there is a different policy and regulatory landscape on how the decisions are made. One important thing is to acknowledge the fact that what might work for a particular country may or may not work for another. What may work for the US may not work for India or Australia. Whether it is a developed country or a developing country, the governments need to decide what is best suited for them. Please tell us about the need for a layered approach to CIP. First of all, the idea is that at a higher level, there is a need to acknowledge the importance of CIP in national and economic security and public health safety. The Government of India has done that in further provisions and amendments in the IT Act or going towards recognising Critical Infrastructure and understanding that there is a dependency on that Critical Infrastructure upon Information and Communication Technologies and it is important to manage risks. It is also important to recognise what you want to accomplish at the village level, at the city level, and at the national level and what you want to acknowledge and achieve in that infrastructure. This can be worked through the joint efforts of the government and the private sector. What are the different kinds of threats to Critical Infrastructure? In terms of threats, almost all countries are taking an allhazards approach and not just against cyber threat. This is because of the fact that the way someone can hack into the control panel or shut down a power grid, someone like a terrorist can also blow something up which does not have a cyber component at all. So in terms of protecting the Critical Infrastructure, there has to be an overall protection from all threats including threats from terrorists
17
industry perspective
>
and natural disasters. For example, in the US, hurricane Katrina had a devastating effect on the information and communication systems, telecom systems and power of that region. Similarly, in the twin tower terrorist attack of 9/11, the telecom and communication systems of that region were affected, which directly hit the New York Stock Exchange. Threats are therefore of various kinds, natural and man made, intentional and unintentional. What are some of the features of Microsoft-based solution for protecting Critical Infrastructure such as rail, roads, ports, power and water supplies? Protection of Critical Infrastructure requires setting or defining the roles for the public and the private sector in the risk management process. The government sets various goals and functions that are to be performed from their end. There are some critical functions that they want to provide in terms of the economy, national security, etc. Therefore, they can work in Public Private Partnership (PPP) in order to provide the citizens with the Critical Infrastructure such as power and water. The owners and the operators can get together and figure out the risks, prioritise the risks and find solutions to those risks. You can also see how to analyse those risks, you can look for existing medications and also look for further medications for those risks. The owners and the operators in a case like the US, where almost 85% of the Critical Infrastructure is owned by the private sector would know the best way to protect the Critical Infrastructure. Similarly, in the case of Norway, it is the government who does the same. But it is important to know how these critical functions are put together and to know what are the critical inter-dependencies and intersecting points. The other important key point is building operations or response frameworks. You have a cyber incident or a natural incident, or a terrorist incident, regardless of the origin, there needs to be a way to respond and recover every aspect of the Critical Infrastructure assets. In the operational response framework, the government may have an operational response capability. Even a private sector company like the Microsoft can have an instant response capability, however, often what we find is that those are not aligned. For example, in the cyber security arena, Cert India can have a specific way that they respond to India and India’s specific events. There can be an industry consortium that has sectoral Internet response mechanisms. In US, we call it Internet Sharing and Analysis Centre (ISAC). In Microsoft, we have our own security response for our own product vulnerabilities and yet we do not collaborate or align our operational response framework across those layers of the individual private sector or government. In the US, what we do every two years is a National Cyber Security Exercise under the Department of Home and Security. This exercise really seeks to align those three layers – the government, the sector and the owner – which is the operator. And finally, there is a need to have a continuous set of interactive cycles. You can not just assess the risks of Critical Infrastructure and provide some control, mitigate risks and then walk away, since the landscape is constantly changing and the infrastructure itself is constantly changing. In India, 18
the infrastructure is continuously moving into private hands and that will change the entire risk equation so it has to be continuously reassessed and redone. The point is, that we want to create a culture of regulating security across the public and the private sector. The process has to be supported by legislation. This is one of the reasons, why the IT Security Act in India is going to continually evolve and some of the proposals for amendments could be implemented. What is Microsoft doing about CIP within the overall umbrella framework of Trustworthy Computing? Please tell us about some of your government sector projects in this area. Trustworthy Computing is an initiative started by Microsoft in 2002 and it really changed the way Microsoft builds its software and the culture in the company. They have four pillars – security, privacy, reliability and business practices. If you see them from a pure Microsoft product point of view, there may be a huge need for change. But if you look at them from a Critical Infrastructure point of view, I may need to worry about security of Critical Infrastructure, data protection and privacy. The business practise is very important especially what the consumers, the government and the industry view about Microsoft as a company. Are we open and transparent? Are we working on multiple products and solutions? Are we following the government’s rules and regulations? These are all the issues that we are trying to work on, in order to build the Trustworthy Computing. In CIP and Trustworthy Computing, we are really working on three to four fronts. One of them is Software Assurance. Software Assurance is a complete way of improving the security of softwares. It is also about software and security life-cycles and how do we reduce the number of vulnerabilities and improve the life-cycle of our products. For example, how do we know when a developer checks something in the resource stream and how do we know that the developer had an access or that he was authorised with a check-in code? How do you know before our softwares walk out of the door, that they are free of viruses? How do we know that all the binaries have digital signatures, so that when you get it as a customer you can verify if this is the file that Microsoft wants me to have? So there is integrity mechanism for the integrity of softwares and also assurance management to reduce the number of vulnerabilities. The first one is working with the government on software assurance and with the industry and the private sector. The second area is CIP policy dealing and engaging in conversations with different governments from time to time. For example in India, Microsoft, as part of the consortium has provided feedback on the IT Act and made recommendations on amendments. The next area is what I would call operational CIP. Operational CIP is all about how do we bring industry requirements for operational response framework, how do we bring them to align with our own processes. It is also about how we give everything that is needed by the w w w.egovonline.net
ov