Transparency reports of Internet companies are skewed: Gulshan Rai
Interview with Cyber security chief of PMO (designate)
 "Transparency reports of Internet companies are skewed: Gulshan Rai")
Gulshan Rai has been named the cyber security chief in the Prime Minister’s Office. The director-general of the Computer Emergency Response Team-India (CERT-In) will step into his new role on Wednesday. Rai talks to Surabhi Agarwal about the tussle with social media companies over sharing data, Section 66a of the Information Technology Act and his new job. Edited excerpts:
How do we deal with snooping by countries like the US and hacking from Pakistan and China?
There is no ideal way. Whoever has the technology will use it in the manner it helps them. We need to develop our own technology infrastructure to test our products online. Awareness creation is far more important.
Our ministers use private email, government websites hold so much unprotected data.
The government is concerned. It has announced nic (National Informatics Centre) email has to be used for all official purpose. Government departments and the public sector also have to host their websites inside the country. Those sites are audited before they are hosted. While the number of websites that are hacked have gone up, the number of government websites with .gov and .in domain names has come down because of stronger infrastructure. And, the strengthening will continue.
The government is in a constant tussle with social media companies over sharing data. What is the way out?
These are complex issues and I don’t think that I am in a position to give you straight jacketed answers. I am sure they understand our position very well but they have their own problems. We want better addresal of problems. We need to talk more to them.
According to Facebook and Google, blocking and information requests by the government have been rising.
We don’t know how they compute the data. If you look at American requests, there is 100 per cent compliance. If you come to India, the compliance is less than 30 or 40 per cent. And the statistics we have in no way tally with the statistics they have. They have never told us how they compile the data. They do it by their own process, something I am never in agreement with. If they provide us law enforcement data, where is the question of blocking it?
Requests by India are not taken seriously?
No, our requests are fewer than America’s. Look at our population, look at the problems we have and the number of tweets or Youtube videos or Facebook posts made (from India). Is there any country with our kind of volumes? How many requests have been made from our end? You have to look at it from that perspective, as a percentage. If we get the data, if we know who has posted it there, we will not ask it to be blocked. If they tell us, we can tell the person who can choose to take it down himself or herself. If they work closely, things can improve. But the whole transparency report is a one-sided game, I have no means to verify how they are compiling the data. It is skewed, completely skewed.
Will having a server in India solve issues?
I am not in a position to comment on this. We make requests, they block them. I issue an order, that has no meaning. The only response I get is this is objectionable so we are blocking it. Actually they don’t block on our request, but on their policy, which means what they block are genuine cases. They should have blocked own their own, why are they saying we asked for it?
The government, especially your office, came in for criticism over Section 66a of the Information Technology Act. Is the criticism fair?
The law has been made for the people and if they are not comfortable then the law should be changed. The implications of a law are realised only subsequently.
Will we have another law to replace it?
It is not for me to comment on this.
What is your mandate in PMO?
I can’t say much but the purpose is to coordinate better (between different law enforcement agencies).
What are the high and low points of your tenure at CERT-In?
The high point is that a lot of infrastructure has come up, the low point is that I could have done much better. (Cyber attack) incidents have gone up from 23 to 130,000 during my stint. To handle those incidents, you require more manpower, resources. Resolving these incidents is a challenge as they become more sophisticated. But the satisfaction is that though certain powers have been vested with CERT-In, these were never used. The industry has started appreciating the role played by CERT-In. Several countries want to share data with CERT-In. We have been able to build trust. But we need to do a lot more.
How do we deal with snooping by countries like the US and hacking from Pakistan and China?
There is no ideal way. Whoever has the technology will use it in the manner it helps them. We need to develop our own technology infrastructure to test our products online. Awareness creation is far more important.
Our ministers use private email, government websites hold so much unprotected data.
The government is concerned. It has announced nic (National Informatics Centre) email has to be used for all official purpose. Government departments and the public sector also have to host their websites inside the country. Those sites are audited before they are hosted. While the number of websites that are hacked have gone up, the number of government websites with .gov and .in domain names has come down because of stronger infrastructure. And, the strengthening will continue.
The government is in a constant tussle with social media companies over sharing data. What is the way out?
These are complex issues and I don’t think that I am in a position to give you straight jacketed answers. I am sure they understand our position very well but they have their own problems. We want better addresal of problems. We need to talk more to them.
According to Facebook and Google, blocking and information requests by the government have been rising.
We don’t know how they compute the data. If you look at American requests, there is 100 per cent compliance. If you come to India, the compliance is less than 30 or 40 per cent. And the statistics we have in no way tally with the statistics they have. They have never told us how they compile the data. They do it by their own process, something I am never in agreement with. If they provide us law enforcement data, where is the question of blocking it?
Requests by India are not taken seriously?
No, our requests are fewer than America’s. Look at our population, look at the problems we have and the number of tweets or Youtube videos or Facebook posts made (from India). Is there any country with our kind of volumes? How many requests have been made from our end? You have to look at it from that perspective, as a percentage. If we get the data, if we know who has posted it there, we will not ask it to be blocked. If they tell us, we can tell the person who can choose to take it down himself or herself. If they work closely, things can improve. But the whole transparency report is a one-sided game, I have no means to verify how they are compiling the data. It is skewed, completely skewed.
Will having a server in India solve issues?
I am not in a position to comment on this. We make requests, they block them. I issue an order, that has no meaning. The only response I get is this is objectionable so we are blocking it. Actually they don’t block on our request, but on their policy, which means what they block are genuine cases. They should have blocked own their own, why are they saying we asked for it?
The government, especially your office, came in for criticism over Section 66a of the Information Technology Act. Is the criticism fair?
The law has been made for the people and if they are not comfortable then the law should be changed. The implications of a law are realised only subsequently.
Will we have another law to replace it?
It is not for me to comment on this.
What is your mandate in PMO?
I can’t say much but the purpose is to coordinate better (between different law enforcement agencies).
What are the high and low points of your tenure at CERT-In?
The high point is that a lot of infrastructure has come up, the low point is that I could have done much better. (Cyber attack) incidents have gone up from 23 to 130,000 during my stint. To handle those incidents, you require more manpower, resources. Resolving these incidents is a challenge as they become more sophisticated. But the satisfaction is that though certain powers have been vested with CERT-In, these were never used. The industry has started appreciating the role played by CERT-In. Several countries want to share data with CERT-In. We have been able to build trust. But we need to do a lot more.
With the government’s Digital India initiative, what new challenges have emerged in the cyberspace?
Internet has become a part and parcel of our existence. Internet is also expanding today, we have more than 300 million users, in fact, unconfirmed reports say that there are 400 million users if you include small time users from mobile phones. Today, a lot more hardware and software is coming in the form of embedded software or at the chip level or the semiconductor level, which we can’t change. An increasing number of embedded systems means more vulnerabilities. Be it mobiles or even the LCD or the LED device which also have an embedded chips Even in LED bulbs there are circuits, everything is becoming more Wi-fi. And until and unless those interfaces become completely secure, there will be vulnerabilities, which can be exploited by the adversaries for their own benefit.
More and more penetration of IT and cyber is going on everywhere and it is becoming increasingly important that we become secure. The Prime Miister said in his recent March 1 address at a Nasscom summit that it should not happen that nobody touches mobile for the fear of it being unsecure because we are going to do all transactions at some point. And we must secure it otherwise it will become a chaos. Digital India is a large project where large scale integration is going to happen. So many services will be delivered there, which will lead to higher productivity, efficiency, faster services to the citizen there. Digital India programme is a game changer in that sense so security become far more important under it.
Since more things will be on internet, threats will increase, so what steps the government is taking to be better prepared?
The government is fully aware that these threats will come up. The PM, the NSA they are all charged up, they are tech savvy and they understand these issues very well. So number of steps are already been taken. The national alert watch system is already there in form of the CERT, a centre for the critical sectors has been set up, best practices have been announced etc. We are also taking up the issues at the international relations level, so a number of steps have been taken to beef up and to move up the value chain so that it can help in creating a secure environment, where you can do secure transactions.
What is the update on the Botnet clearing centre and the National Cyber Coordination Centre?
The government has now taken up the implementation of these projects. The Botnet cleaning centre is in the process of implementation, which detects the compromised systems, works with the ISPs, identify the system and notifies that your system is compromised. Today for a common man, it is difficult to recognise that a system is compromised, so the centre will help them to clean up the system. And similarly the NCCC will keep on detecting the compromised security breaches and will keep on notifying. It is all in the public interest, there is lot of confusion, miscommunication about it but the thing is that it is only purely helping the citizen to clean up their system from a security point of view.
The PM said recently that for almost all major heads of states, cyber security is a major concern. Compared to other countries, where are we lacking?
It is very difficult to say where are we lacking, nothing is 100 percent secure. Innovations are taking place so quickly, today Samsung S6 has been announced, a couple of months ago Apple announced iPhone 6 and 6 plus, when new technology comes up, it brings new issues also with it. At no point of time you can take rest saying that everything is secure. We have to be on our toes always. But we have started taking steps which are in line with the international scenario. And I hope we will be able to move dynamically into this area.
What are the biggest challenges that you face?
The biggest challenge is the large population. No country other than China has that much population. But China has a different kind of environment. The whole security ecosystem involves people, process and technology. And technology is only 20 per cent of it so the main issue is people and process. If people are aware, they will certainly understand the processes there. If your processes are good, you can use technology effectively.
ALSO READ: We need 400,000 skilled people to address cyber security, says Gulshan Rai