Arthur Coviello, the Executive Vice President, EMC Corporation and Executive Chairman, RSA Security believes that controlling governments, businesses and activist groups all need to work together to be able to fight the threats of cyber security. In a chat with Shivani Shinde, he talks about the changing threat perception, and need to change the security system. Edited excerpts.
There is an increasing trend among governments across globe to control the internet. Do you think its possible?
It is hard to do so in a free and democratic society. If we have freedom of speech, you cannot control vehicle of freedom of speech and honouring privacy. But there is a lot of irresponsible behaviour on the internet and lots of criminal violations and government needs to react. I think there is a frustration among the government over how to protect people without hurting them. That's the dilemma.
But is there a solution?
I think there is a solution. The trouble with cyber security is that there is lack of understanding. Government specially in US, and also perhaps in India get hit by businesses that do not want any regulations. Then there are the security departments, military and intelligence who say that there are bad people out there and too much freedom will allow them to take undue advantage. Then there is the activist group. Moreover, there is a host of legal issues as laws need to change according to the changing times and around digital content etc.
So yes, there is a problem. I like to use the Indian metaphor of three blind men trying to describe an elephant story. Like the story, in the cyber world everyone has a piece of the issue but no one is ready to see the issue holistically.
This issue needs to be addressed because there are criminals at work, there are nation-states that would harm your security and we ought to be able to protect ourselves without giving up our freedom of speech, in the bargain you might have to give up some part of privacy.
How have the threat levels changed?
A lot of change has happened in the last 10 years. In 2002, you could maximum buy a book from Amazon and perhaps look for something on the internet. Not much was going on on the Internet then. From an enterprise standpoint most of the applications were on client server. Fast forward now, our life is linked to the internet. You will see more and more commerce happening on the phone.
So we have created more openings for the criminals to attack us, and for rouge nation-states to take advantage.
Ten years back there was no criminal ecosystem, people were doing denial of service attacks, but these were of nuisance value. In 2004 we started seeing phishing attacks and by 2005-06 you started seeing a real robust development of malware. In 2008-09 you started seeing budgets being created to break into systems and networks. Its now getting worse.
How well prepared are Indian enterprises and the government to face cyber threat attacks?
The Indians, or Brazilians are better equipped to defend themselves compared to their counterparts in the west. But the problem is in the security models. The models that we have today are old models. They are based on perimeter defence. The security models of today consist of static controls, they are not dynamic they do not react to fact and circumstances. Today the perimeter control are also siloed, the controls do not add value to one another. Today’s model is also very compliance driven.
The system that we advocate are intelligence-based model. And that means it is aware of risks. The new security model needs to start with risk, the control needs to be more dynamic and aware of situations. In other words, you need to spot anomalous patterns of behaviour not only with people but about information and transactions. Intelligent system balances prevention, detection and response. A perimeter system is all about stopping risk.