EXCLUSIVE - In conversation with Internet Society’s Rajnesh Singh (part 2) - Shared responsibility for cybersecurity, persistent issues with cloud
In the second part of the interview, Mr. Singh talks about tackling cybersecurity threats through a shared responsibility regime and data portability and interoperability issues with cloud.
Part 2 of a two-part interview (Read part 1 here)
We continue our discussion with Mr. Rajnesh Singh, Regional Director of the Asia-Pacific Regional Bureau at the Internet Society in this second part of the interview. Mr. Singh talks about cybersecurity threats and countering them by moving towards a shared responsibility regime and adopting a back-to-basics approach by diligently backing up data.
He explains how certain problems with the cloud, namely limited data portability and absence of inter-operability between different cloud platforms have persisted over the years and how industry can come together to sort these issues.
Mr. Singh said that countries like Singapore and Korea are able to see IT and IT systems as critical to their future growth.
They are able to and they have been investing in security for a long time. Developing countries often don’t have the economic power to invest at similar levels.
The whole security landscape is changing. Organisations allow BYOD (bring your own device). Each of us carries three or four computers with us, smartwatch, tablet, computer, smartphone.
They are all smart devices. Some of them can interact with each other without us knowing. Mr. Singh raised the question of what level of control do we have over these devices.
“Let’s say you want to buy a new car. Most people tend to look to European manufacturers as a choice brand for a car. They have built up a solid reputation over decades. Now there is smart technology embedded into those cars. But these manufacturers are not an IT company, they are car manufacturers. Their IT submodules are either outsourced or they take a kit and they assemble something around it and put it into their car. These car manufacturers are concerned about maintaining the car, not the IT system. How often do you think they will put patches out to update its smart systems in the car? Your big technology companies probably do it on a weekly basis. Will car manufacturers do that? I don’t think so,” he elaborated.
He said that we have to move towards a shared responsibility regime now, what we could call collaborative security. Everyone around the ecosystem, including the user has to bear some share of the responsibility.
“They need to be aware that I am buying this smart device. There may be vulnerabilities in it. I need to keep it updated and I need to be aware of what the device does, what data it is collecting, where the data is going,” Mr. Singh advised.
Industry, governments and educational institutions have a key role to play in this regard. There has to be a multi-stakeholder approach to it. We can’t just depend on one entity, on one organisation or the government to do this. It’s just not going to work. It’s too big now, there are too many things happening, all at the same time. No one has the scope or the capabilities to do it alone. And the threats will grow.
Today’s children are digital natives. So, the entire approach to digital education has to change.
It is no longer enough to teach about CPUs and keyboards and Word and Excel. Children have to be taught about their digital footprint.
Mr. Singh said, “This is what happens when you do something on the Internet. These are the traces you leave when you go to a website, a cookie stored in your machine, observing what you do, what you are downloading, what sites you access, how much time you spent on it, where you went to next. That awareness has to go to a different level now.”
There are hackers who break into systems for fun. And then there are those who do it as a criminal enterprise, to make money out of it. The latter group, the criminal enterprises are getting smarter at an alarming pace.
In the face of these rising threats, a back to basics approach is required. “Back up your data. Do a physical backup. Backup to the cloud. Don’t just do one. Do multiple,” said Mr. Singh, “In the old days there were these backup tapes. And you have that cyclical process of the tapes. We had 7 sets of tapes. Each one, you put in at a different moment in time. So, just in case, something happened to that set, you have the previous day’s set which you can recover.”
“But I think we are becoming complacent. I have asked a lot of people from interesting companies, show me what exactly you do for data backup, and you realise they take one or two backups, some goes the cloud, some moves to local NAS kind of stores. And they think they are done. How about offsite storage? And if it is critical data, putting it into an encrypted vault somewhere, where there is a greater chance of it not being broken into. Like customer data for example. Or your company’s financial records. That’s not really happening in the way it should.”
Mr. Singh explained that technically, cloud computing is nothing new. If we go right back to the early days of the Internet, that’s what the Internet was. It was on the cloud, except that it wasn’t called a cloud back then, like we call it now.
Some significant challenges remain with the cloud, with regards to portability of data and interoperability between different clouds.
If a company wants to move their data from one cloud to another, data portability is still a challenge. Similarly, if an organisation wants to use two different cloud providers for back-up purposes. They want to send data to both of them, so that if something happens to one cloud, then the data can be brought into the other provider’s network. That would still pose a big headache.
The cloud is the cloud. It can be anywhere. But then the jurisdictional issues come into play.
“Let’s say you have customer data here in Singapore. Your cloud provider let’s say is in the US. That means Singaporean data is sitting in the US machine. You need to know what the chain is, where exactly is the data stored and do we have consent to store it in that cloud,” explained Mr. Singh.
Data protection and privacy regimes are going to become more and more important going forward. There are a few frameworks floating around, such as the APEC Privacy Framework. But there is no consensus yet on something that is globally adopted.
Particularly for smaller companies providing cloud services, it might be a daunting task to look at every data protection legislation in every jurisdiction to ensure that their systems are compliant. The company might then decide to limit its operations to a few markets. So that stops that company from growing further in other markets .
Mr. Singh said that if the interoperability and data portability problems are solved, they could fix a lot of the other problems as well. Because if you can take your data and go to somewhere else, at least you know that you will have control over the data set.
We asked how could these two issues be tackled. Having one or two dominant players is obviously not the optimum solution. So, how could industry standards be set.
Mr. Singh responded that it could potentially happen in two ways. One is the industry follows their own standards. They come up with a best practice and everyone adopts it.
The second is the stick approach. Government comes in and they start regulating everything. Companies will not want government regulation. So, it’s really in the interest of the companies themselves to come up with best practice standards which is acceptable to everyone, current players and new potential entrants.
The industry needs to come together for this. Whatever the industry decides, it should be for the betterment of the industry, enabling everyone to compete better and providing greater choice to customers. There are ongoing efforts but there needs to be more.
Having conversations about social implications of the Internet
The founders of the internet never thought the Internet will be the way it is today. It was just an experiment. They were playing around in the lab. Can we make computers talk to each other?
They hadn’t even imagined the way the explosive growth of the Internet. IPV4’s (Internet Protocol Version 4, deployed in 1983 for production in the ARPANET, the US Department of Defense network, which is sort of the precursor to the Internet) 4.3 billion addresses have run out today and IPV6 is being deployed.
Today the internet has become the core of what we do in any dimension of life. Mr. Singh said,”Now it goes without saying that the Internet has done a lot of good. Look at all the things we are able to do today. But I don’t think we have talked enough about what are the social implications of this. We like to talk about the good things. And hush ourselves and go off to the side when we have to talk about the not so good things. I think we need to be a bit more open on those issues now.”
In May this year, the Internet Society had an event with Chatham House talking about what are the social implications of the internet and where we heading. Similar conversations need to happen more frequently and at a wider level.
Mr. Singh went on to say, “Internet is having an impact on young children, the issue of revenge porn has come up recently, the Internet doesn’t create those problems. But it gives people the opportunity to exploit, scale and magnify the impact that may have. Cyberbullying is another example. Bullying has always existed. Cyberbullying is just a new method. The mass market approach which the Internet enables sometimes makes it worse.”
“The second thing is who should have those conversations. Should it be the IT guys, the government people? No. It has to be a collaborative approach. Multiple stakeholders need to be involved. Civil society, activists, NGOs, the IT industry, governments of course can play a big facilitation role in this. Non-profit organisations such as ourselves. And other industry organisations, computer societies, the industry professional associations. They will all have to be a part of this conversation.”