Cyber emergency: Teach, train and employ half a million ethical hackers

Don't want to miss the best from Business Standard?

 

A large financial services company was recently the victim of a phishing attack and had to deal with a significant chunk of its data being compromised. The company would have saved the crores of rupees it subsequently spent on containing the damage had it spent a few lakhs on deploying the services of ethical hackers.

A couple of years ago, hackers managed to break into the computer system of the personal secretary to the chairman of a large Indian business conglomerate. They managed to access details of the chairman's family addresses, tax filings, meetings as well as official mails, before it came to the notice of the company.

These are not isolated examples. Several organisations have had to repent for not deploying ethical or white hat hackers to test their internal and external technology infrastructure for vulnerabilities which could be exploited. The reasons are manifold - low awareness about the concept of penetration testing ethical hacking, the high cost of services and unavailability of the right skills.

Although demand for such services is rising, with large information technology (IT) enterprises such as Microsoft, IBM and Hewlett-Packard offering these, experts believe India has a lot of ground to cover.

Lack of implementation of proper cyber laws, less cyber security research and fewer educational centres are some reasons holding back ethical hacking in India, says Neil Richardson, course leader for a master programme in information systems security at Sheffield Hallam University.

Being among the top IT countries in the world, the need for ethical hackers is huge in India, as the percentage for hacking crimes, data theft, data loss and other cyber crimes have seen exponential growth in the past few years, he adds.

According to the recently released National Cyber Security Policy, the country needs almost 500,000 cyber security experts, while rough estimates put the current available personnel at about 30,000.

Shree Parthasarathy, senior director (enterprise risk services), Deloitte India, a consultancy, says the market is dominated by fly-by-night operators, which provide a false sense of security to companies even as people with the right skills charge top dollar, making themselves unaffordable.

"Awareness across the US and Europe is significantly higher than in India as a lot more information related to cyber crimes is shared within the industry and the number of incidents of cyber fraud reported is higher," he points out.

According to Kamlesh Bajaj, chief executive of the Data Security Council of India, while ethical hacking has been around for some time now, companies still use the shortcut of security certification instead of the more elaborate testing. "Most companies that use the services of ethical hackers are in banking or the technology sector." Bajaj adds. Banks naturally have a lot of money riding on security and IT companies have contractual data protection obligations with clients.

If the government has to meet its target of 500,000 cyber security experts in three-four years, it will have to align college curriculums accordingly, says Parthasarathy.

Several universities are gearing up to offer courses in this area; however the numbers are small. "Countries like the US are more organised in terms of generating talent, incentivising their universities to offer such courses," adds Parthasarathy.

Alongside the talent crunch, there are thousands of under-skilled or small-time hackers who are drawn to unethical hacking for lack of opportunities, says Jiten Jain, a cyber security analyst and a mobile warfare researcher. They are employed by private detectives or are tempted to hack for small sums of money. "It is important to bring them into the loop," he adds.

Indian Infosec Consortium, an association of professionals working in the field of cyber security on its own initiative, alerts the government against potential or existing cyber threats. Also, the National Security Database, a community of white hat hackers, devotes some of its cyber time towards national security.

Rajshekhar Murthy, director of the National Security Database, says hackers from his organisation go through a psychometric test in order to qualify for working on government projects. "Sometimes, the government engages us for specific projects, at other times we alert them about vulnerabilities."