To improve cybersecurity, first shed overconfidence

livemint.com:

Barely a week after the government declared the Bharat National Cyber Security Exercise 2023 a grand success, personal data of 815 million Indians, including Aadhaar numbers, phone numbers and addresses, started being hawked on the black web. Cybersecurity is different from other areas such as, say, tourism promotion: mere enthusiasm isn’t sufficient. What’s needed is an effective strategy, policy, regulation, technical standards, enforcement agencies, continuous training, user vigilance, and investment in quality education.

Earlier this year the US government released new thinking around cybersecurity regulation, in which the government would place some security obligations on private companies that provide much of the network and storage infrastructure, and state agencies would proactively seek to deter and disrupt bad actors in cyberspace. The US has also proposed a Cyber Trust Mark, on the lines of star ratings for energy efficiency, that would replace the existing system of self-certification for the expanding array of connected devices. Of course, these trust tags should include their expiry date upfront, because what is secure today may not be tomorrow.

India also has a national cybersecurity strategy in the works. One hopes the draft strategy will be opened up for public comment and improvement. Cybersecurity is a dynamic field.

A cursory survey of the website of the Indian Computer Emergency Response Team (CERT-In) reveals a diverse range of current and potential threats emanating from devices, apps and web spaces, including those used for storage in the cloud. One thing is fairly clear. Apps need to be updated when the operating system changes.