NASSCOM Cyber Security Task ForceWorking Group Discussion Slides

June 10, 2015

A NASSCOM® Initiative

NASSCOM Cyber Security Task Force

Industry Development

Policy Development

Technology Development

Skills Development

Four Working Groups

Scope / Charter Recommendations

CSTF Working Plan

Opportunities for Indian Industry

NASSCOM envisages the Indian IT-BPM industry to achieve a size of USD 350-400 billion by 2025; the country can aspire to build a cybersecurity product and services industry of USD 35-40 billion by 2025

Currently, Indian industry revenue from security is estimated to be around 1% (USD 1.5 billion) of overall IT-BPM industry revenue (USD 146 billion); by 2025, India can aspire to scale it to 10%

Generate a million skilled jobs in the security space by 2025 to cater to the rising global demand of security professionals – current global shortfall is estimated to be around 0.7 million, expected to rise to 1.5 million in 2020 as per (ISC)2 – Frost and Sullivan – Booz Allen Hamilton Report

A NASSCOM® Initiative

Global Initiatives/ Best Practices in WG Domains

• In Israelo 200 cyber security firms; 78 companies have

raised USD 400 million since 2010o cyber related exports are more than 5 percent of

global market

• US Department of Homeland Security has nurtured cyber security start-ups like Kryptowire & Nowsecure

• Israel: Cyber security incubator established; Ben Gurion University has become the hub of Cyber Security Research and innovation.

• US: The federal cybersecurity R&D strategic plan intends to strengthen and leverage the link between industry and academia.

• UK: National Technical Assistance Center: Research in encryption & cryptanalysis

Technology DevelopmentIndustry Development

Skill Development Policy Development

• Many countries have established processes for policy implementation, proactive review with clear activity timelines and accountability mechanisms

• Policy push – R&D investment, IP ownership & product commercialization

• Policy enables PPP initiatives - Coordinating Councils in US, National Cyber Security Hub in UK

• In US, protection for organization sharing security information with govt. through Cyber Intelligence Sharing and Protection Act (CISPA) – bill debated

• In UKo Government offers apprenticeships to boost the

number of civil service cyber specialists, cyber security training in further and higher education

o Cyber specials’ program to bring volunteer police officers with specialist skills

• Israel Education ministry has set up after-school programs for cyber security in middle & high school.

• In US, National Initiative for Cybersecurity Education (NICE) for cyber-savvy citizens and building cyber-capable workforce.

A NASSCOM® Initiative

Industry Development Group

A NASSCOM® Initiative

A NASSCOM® Initiative

A NASSCOM® Initiative

A NASSCOM® Initiative

A NASSCOM® Initiative

Technology Development Group

1. Visibility & Motivation - PM as ‘brand ambassador’ for ‘Secure India’ Movement: The research and innovation in the area of Cyber Security requires a major impetus if India is to emerge on the global map. The Honorable Prime Minister be requested to help create a national movement ‘secure India’, and be the ‘brand ambassador’ to galvanize the faculty and students at nation’s academic institutions, and young Indian innovator firms in a movement similar to ‘Swachh Bharat’ for cyber security research and development of products. National, State and college level hackathons to be also held.

2. Creation of Sectoral CERTs+: Each core industrial sector to have a ‘sectoral CERT’ on similar lines as the (RBI’s) Banking CERT. These to act as means for i) cyber security intelligence exchanges for respective sectors, ii) be affiliated with the sectoral Government Regulator and create sectoral compliance regulations, leading to direct creation of demand for sector specific cyber security solutions and create impetus for product innovation by the industry in response to the demand, iii) Enable sector specific PPP partnerships for R&D by academic institutions (COEs, labs, etc.) and innovation of security products by the Industry, by giving visibility to sector specific needs and revenue potential, iv) have a role in validating new technology solutions and setting standards for their sectors,

3. Role of Industry - NASSCOM, DSCI & Other Bodies: i) take the initiative in creation of Sectoral CERTs+. ii) Help in creation of a PPP innovation & incubator fund

(see para 6 below), ii) Mapping of existing Industry capabilities and products, iii) Facilitate academia -industry collaboration for commercial incubation of R&D outcomes. iv) Work with Sectoral CERTs+ for identification of sector specific requirements and Technological Gap identification

4. Reduce Procurement Barriers for new Products of Small Firms in Govt Procurement: Govt will be the single largest customer of cyber security products. i) New innovation driven technologies and products by innovator firms must have a means to meet the procurement qualification requirements. For this there is a requirements to create ‘testing certifications and quality standards’. If a young Indian company can successfully meet, these then it would be eligible for R&D grant/subsidy of the testing certification cost, as also its products eligible for govt procurement (often as OEM through SIs). Ii) Procurement plans and roadmaps for the govt requirements must be released for next five years annually, this would make the potential demand and revenue potential visible to the Industry of the ‘largest customer’ and help Industry in taking commercial decisions to invest in ‘product development and R&D

5. Govt to Outsource Paid R&D to Small Innovator Firms and Academic Institutions: The R&D base of the country needs expansion through outsourced paid research for greater access to talent and grass-root innovation capabilities that exist in the private industry

6. Creation of National Cyber Security Innovation Fund: A PPP based fund with participation by the Govt, Sectoral CERTs+, and the financial institutions with the main aim to identify new technologies and products and innovator firms to invest in, mostly at commercial terms. This fund would also act as the incubator for new technologies, in partnership with Sectoral CERTs+ and R&D institutions

Recommendations - Technology Development WG

A NASSCOM® Initiative

Skills Development Group

One million certified skilled cybersecurity professionals by 2025

1. Develop cybersecurity as a national mainstream cadre. Mandate through SSC, global best practices and certifications:

• 200 universities/colleges to run both dedicated stream and commercial research• 200 vocational training providers• 5 regional security hubs integrated with industry

2. Select 100 Cybersecurity “Drone”acharyas and establish 10 COEs to create a pool of expert Cybersecurity trainers

3. Govt. declares cybersecurity as a strategic sector on par with the space, atomic energy and defence and make investments for capability and capacity building

4. Attract the best talent for Cybersecurity via widespread advocacy, early introduction in schools and talent search through hackathon and reality shows

5. Mandate Cybersecurity health index of essential public services, critical infrastructure and public companies

6. Embed Cybersecurity in the academic curriculum across all levels for creating cyber aware citizens

Excellence@Scale

A NASSCOM® Initiative

Policy Development Group

A NASSCOM® Initiative

Policy Development

Policy advocacy (initiatives/ amendments) required for CS Industry (Product + Services) Development Ecosystem

1. Capability Development through PPP

Addressing trust issues (PPP) – Contracted projects to private sector to develop solutions/ technology, security clearance of individuals; secure sites

Establishing Cyber Military Industrial Complex

Engaging industry (including startups) on contracts in existing CS initiatives such as NCCC, Botnet Clearing

2. Promoting innovation and startups

Govt. promoting startup ecosystem (funds, incubation, infrastructure, IP-Patent issues etc.) to be developed; single window or distributed?

System Integrators (SIs) to include and promote startups in solutioning eg. internal incubation programs

Procurement (including tendering) & audit processes of govt. to encourage startups – eg. EMD requirements, market share restrictions, etc.

3. Showcasing Indian industry abroad – international delegations, conferences, road shows etc.

4. Testing and Assurance mechanisms – Test Labs, Certifications – harmonized with global standards, domestic + global market + becoming global delivery hub

5. Enabling Framework – Cyber Commission; Privacy Law, Info exchange framework, encryption policy, Cyber Security Act (mandatory disclosures on structure, investments, etc.), LEA capability building, international cooperation etc.; whistleblowing provisions and policies in government & private sector; e-security index

6. Inputs from Industry, Skills and Technology WG

Thank You