 Now I'll first speak and comment against the floor for today. Dr. Goldschrank, Dr. Ray is the special secretary of cybersecurity for the Prime Minister's Office of the Government of India. He has 34 years of experience in different areas of information technology, including cybersecurity, e-governance, legal framework and the Information Technology Act for e-commerce and several related areas. At present he is the special secretary of cybersecurity for the Prime Minister's Office of the Government of India. Prior to this, he was Director-General of the CERCID, the Indian Community Emergency Response Team and Group Information Technology. He was Executive Director before that of the Educational and Research Network of India for over seven years, and he was instrumental in setting up the first large-scale educational research network in close collaboration with the leading educational and research institutions in the country. He'd been the chief architect of the Information Technology Act for the first few years of time in India. Dr. Ray holds a doctoral degree in entertainment and has published several papers on e-commerce, cybersecurity, cyber laws, education and networking and has presented the stage in several national and international conferences. My great pleasure to welcome the stage, please, Dr. Goldschrank Ray. Welcome, please. Good morning to all of you. I professly thank the Open Group for inviting me to share my thought or share some of the views with you and trigger to get the views from you because the subject which I deal with is a multi-task subject and everyone needs to participate equally with the same right to strengthen the objective which with the subject was involved. I'm also grateful to Steve for saying some good words. Friends, I have been interacting with the Open Group for quite some time. I know how Dr. Koshy and our friend James have been coming to the country. Now it is more than three years, approximately three and a half years if I'm not wrong, going from imposter pillar to promote the activities or the ideas, good idea for the Open Group, pursue and stand for. I have exposure activity and what they want you to do. So when Dr. Koshy spoke to me, of course he spoke to me about well in advance two months ago, I was quite thrilled to come and interact with you and participate in the good activity which Open Group is trying to pursue and spread out not only in this country and other parts of the country. I'm sure as we move on the Open Group also we'll keep on transforming their activities because what we see in the IT and cyber space is all to be different than what we have witnessed couple of years ago. Today you think of any activity, whether in the personal life, professional life, depends, civil, military space, financial sector, economic sector. There are two clear distincts what you see. One is the conventional part. For example, if you have the banking sector, there's a branch, there are semis account, there are current account, there are loan account, you have a cash credit register. You go to the education sector, faculty comes, undertake research, teach the students that the conventional part which we are well aware of it, but the second part is the IT part in every activity. This IT part is driving the, cyber part is driving the first part. Imagine, can we have research today if the IT is missing? How much chaos was created in this demonetization exercise when people were not able to get money from the ATMs? For couple of days there, long lines were there. The ATM is nothing but a part of the cyber. So cyber part is becoming more important and it's driving the productivity or efficiency or the objective you want to achieve as a part one. That's the power the cyber has achieved today and in time to come it will grow and make us more independent. I just put a some semantic diagram of how does the cyber space look like. Connected work, every device today which is manufactured is connected on the net. Every device manufactured is a software building. Some sort of operating system is sitting there in any every device maybe smaller or smaller size software program or the larger size software program but everywhere some software is sitting there. This is some sort of a diagram which I have put it. There are if you see on the globe there are internet links are going on about the fiber cables or the submarine cables. Then you have the e-governance program, you have the economic program, ITBPO sector which is a Bangalore post office software industry. You have a data center, you have a mail center, you have ISPs who are in between there trying to connect everyone. And the recent part is the connectivity or bringing of the IoT devices on the cyber space. As per my estimate half a million IoT devices are already connected on the space and I presume it will be more but whatever my estimate I could get it. It looks to be quite simple when you draw a diagram but imagine what does it mean to us and what does it bring to us what alarming factor it brings to us and what productivity factor it brings to us. Yes, at the stroke of a press you can connect to anyone. Make your bill payment, book your ticket, you can do. Look at the Google, what it benefited is brought to you, you can search anything. Today something comes in the mind. Any point of time you are traveling in a car, you are sitting in a bus or you are standing anywhere, something comes in the mind. You have an instant solution type Google and in Google, go to Google and type it and you will get some answer. May not be correct answer, may not be the exact answer but you will get answer for which will give you the further insight how to go about. New device comes up, gets connected on the network. New equipment comes up, gets connected on the network. It's a unique feature there and it's much different than what we have seen in convention. If you look at the IT sector, IT equipment or IT companies or you look at your ISP services and if you look at the internet, the complete different model is there. In a conventional equipment service provider, it is set up by a private entity used by the public entity, public, used by the public. All of us use it but set up, maintained service by a private entity. He has his own rights but when you come to the internet, can we say it is set up by a private entity? Look at the root servers, mirror servers, DNS servers, open servers. These are all, model is different. These are set up by the public. In the public resources, these are set up by the public sources and the users are private. We all use for our private purposes, for our official purposes which is private. So the entire model is different and that makes the big difference in what we have seen in the conventional and what we have seen today. Our revenue model is different. Can you think of you are sending a WhatsApp message and you are not going to pay anything? You are searching Google, you are not going to pay anything? It's a good efficiency, good productivity model but then it's a complete transformation but then it brings other challenges before us which I will dwell on the challenges what challenges they bring before us and how the open group becomes important in this So this cyberspace is getting complex day by day, day by day. New software comes up. New software you load on that. You download an app on your mobile phone. You don't know from where the app has come from there. Who has developed it? How does it go and sit inside your mobile phone and how does it interact with other phones? Is it genuine or fake? This is the word which we are dealing with this in the digital economy and it has brought so many challenges. Now the same cyberspace of anonymity, virtualness or the borderless whatever words we talk about it in popular jargon has resulted into adverse impact also. Because of these features only I can open an account in anyone's name maybe in the name of anyone not existing there. I can morph the account and keep on transacting whatever way I want to do. I remember in 1989 there was some cases of virus breakout and the issue was raised in the parliament. One of the renowned politician was the chairperson in the Rajya Sabha. When the issue was raised renowned person being from the medical field he says I have heard about the virus but why are you raising it why are you bringing the IT into the picture go and talk to the medical or go and talk to the All-Indian Institute of Medical Sciences. That's the first time the issue was raised virus. It's a parliament set up a committee I was a member of the committee go around it we went to the, came to the Bangalore also talk to the people talk to the Microsoft and we started some exercises but the journey from 1988 or 1989 look at the journey where we have come it used to be a simple injection you can spoil the website add something anti India slogan there put anti Kashmir slogan there then we had the kind of a box malware we talk about the malware we have the DDoS denial of service attacks there and then now we are moving to third stage so we have seen intrusive stage we have seen the disruptive stage where the operations are disruptive ransom ransomware we have moved into the damaging stage ransomware is indication of the damaging stage where how we have moved how we have transferred from this at this scenario has a linkages with the complexity in the cyberspace as the cyberspace become more and more complex the complexity in this cycle also will keep on increasing the factor which I told you if you look at the scenario which worldwide scenario which we see here certainly some countries are playing elite role the activities are they are victim stencils and they are source of the problems also by them and not that those countries are promoting that but then the automation is so much in those countries that you can see the any type of activity happens there most of the dotcom servers are hosted there most of the dotorg servers are hosted there most of the dotedu servers are hosted there out of 13 root server 11 are hosted there naturally when you have so much proliferation so much transactions happening there your malicious part also will be very high there are about 11 things which have emerged and become very important in this era of digital economy and when I hear see that mobile transactions are going to go up this 11 train needs to be kept in the mind government roles expand many of you would have been aware of the activity of ICANN which manages the entire internet situated at US it has gone a transformation recently by adopting a multi-seq order approach and write so multi-seq order approach because the technology does not distinguish between a poor and rich between military and civil between a critical sector and non-critical sector home users or any kind of a system there you can create your scenario from any corner from a mobile phone or from now from the IOT devices all of you would have heard in a 2 by 2016 the IOT baby monitor a mother went and left the baby monitor a fisher monitor to the child and it created a problem and shut down the internet for some time a large part the western coast of the US was in a problem in October because of the baby monitor so he is a home user that's why it has a multi-seq order role in any manner positive or negative but among all these things the government role is expending because whatever policy you make it the government will have to do this is the fact of the life and this will happen cyber offense by non-state and state actor affects everyone I have seen number of cases I see the cases there and mind-boggling cases the DDoS attack Denial service attack will start many of the home computers will be compromised by some non-state actor a state actor and start launching the Denial service attack there is no distinguish everyone is get impacted by them attackers are much more adopting involving as compared to the people who are defending it defender comes only as a reactive response rather than a proactive response complexity of the cyber attacks is increasing all of you are from the IT area investigating malware is becoming a challenge collecting the software building signature is becoming a challenge ransomware has impacted entire world our country also there you design one antidote to a problem next the variant comes up and again you struggle with that one third of the internet traffic is from the SSS protocol desktop internal protocol and 92% traffic today on the internet is encrypted what a problem it creates for the law enforcement and security agencies the threat detection requires collection you know where the data to be threat detectable analyzing the threats you require to know where the data will be there data is present is only present you don't know where the data sets are lying where all the data are there so the collection of the data for the purpose of analyzing threat is a challenge and it requires a deeper analysis there life safety and cyber security intersecting thought I have quoted the example of it where we monitor cyber litigation has gone I can narrate an incident we started writing the information technology act in 1998 I used to go to the law secretary because we have to get the legislation from him he will say what is the need of this I have to struggle to explain to them I use the service of IBM to take all the senior officers in the government to explain the what is digital signature hardly anyone any legal luminary so-called they were heard the jargons of the cyber nobody has any appreciation not that the position has changed dramatically today but lot many lawyers have found interest in this and they are learning they have become much more knowledgeable as compared to 1998 or maybe 5 years ago every litigation which goes has a cyber part pendrive, facebook every litigation, civil litigation, criminal litigation cyber is gone and the cyber litigation is going on we are not able to investigate the cases the cases are very very high you can you have gone through the that media news 3.2 debit cards media comes into the picture they make it a big issue probably comes in because everyone effected somewhere some ATM date and 3.2 million debit card started getting it that's the impact the civil litigation is increasing there as a result our civil our the lawyers judges they are more now they are getting into how to understand how to address the civil litigation part in the cyber area expectations are increasing I quoted 3.2 million debit cards there made so much a noise they expect government to do something they expect banks to do something the expectation increasing because awareness is also increasing and suddenly media has played a big role seminars have played a big role in increasing the awareness of the people all across the society as a result of everything trust and integrity is undermined today you take any device first thing comes in the mind can I trust it where all the leakage will be there this is the position we have come what is today's challenge as I said data is omnipresent so many transformations are happening you have a beam transfer the money you have a ATM transfer the money so many interfaces are there in between every banker is trying to introduce application where they want to do away with the use of the password so death of the password is a visible sign which will happen which is happening there this is the trend today data become omnipresent how do you know where do you know what over transactions you do where all the data is present in a beam app which is a Bharat interface for money the flow of data is from a mobile phone to BTS to the telecom equipment of the telecom service provider to NPCIL then to banks this is a broader category but when you analyze each category so many devices are come to the picture and they participate data is present everywhere all routers will have some of the data there user identity base access everyone is talking about user identity base that is a trend suddenly we have to do that privacy is getting more important biometric voice and finger print any application you go it says biometrics God knows whether he is verifying or storing or where all is taking it again the data of omnipresent multiple technologies integration when you send a message from your device to another device SMS or any WhatsApp message it passes through multiple device in deploying multiple technologies malware is a part of the part of the day part of your life can anyone say that mobile phone does not have a malware you don't know the app you are downloading is authenticated not authenticated what software what malware it brings take it guaranteed that every mobile device has some or the other malware built in into that or downloaded into that any point of attack we have to build up embedded security to address all so how do we these are the trend and these poses the challenges these are the challenges we need to address if we have to move if we have to move in the digital society we need to do this now what do we see worldwide as I said is a unique feature set up and maintained by public and used by the private the result is this that much of this global infrastructure is unsupported or operating with the known vulnerabilities still ATMs in most part of the world they still use the old PCXP operating software Microsoft has withdrawn they are not supporting the security providing the security patches vulnerabilities are there you get the router how many of them are patched up regularly I have seen Ntivirus software the companies are marketing automated solution there they put a console where you have a large number of systems they want to put the console and want to upgrade Ntivirus it never happens the console shows some figure it never happens there un-patching is an issue in this interconnected world many of the vulnerabilities are very old I have given an example to PCXP many of the devices camera devices interface with it is old devices there and today's interconnected world I have a one account on Google it gets connected to all Google hang up Google search engine or my Gmail everything gets my calendar one account one password connects there and I access those things from different devices different software none of them are patched up and they complexity to the malware is increasing all those my friends here who are who deals with the malware subject they will certainly be aware of the issues there now India has a unique footprint on the internet of the US and UK we are the second largest internet users country in the world the internet users are almost touching 600 million today in the country the unique mobile phone are 661 million user in the country with the population of 1.22 billion people 661 million users are unique on the phone and certainly 50% of whose server has a smart phone the percentage is now almost reaching towards 50% they have the mobile connectivity they have the internet connectivity also apart from your desktop they have a significant footprint on the internet every device is hosted here we have a statistically a magnetic problem of the patching issues in the country that's a we need to make something to improve the scenario and that will make a big difference the rank of India goes up and down in terms of spam in terms of botnet but at any point of the time very high among the first spam or the talk of botnet our population of the PCs devices are increasing and this problem will come up there India ranks high in a mobile compromise this is scenario and we have to see how do we deal in this scenario how do we as I said in the opening marks that is a multi stakeholder kind of approach common alone cannot do anything all of us we need to come together we need to improve our network hygiene the service provider the vendors and the users have to come together sincerely to achieve the hygiene achieve the better efficiency, better productivity or better performance of the hygiene on the network that's the first priority we need to do that user everywhere that's what we need to work together and this is where the role certainly I would like to explore the open group how do we work together to protect them by working, designing the architecture by promoting certain kind of application by promoting certain culture how do we help because this is becoming important issue we need to work together the critical sector critical sector which manages the information infrastructure the power sector or other we all need to work together the vendors we need to work together the banks are a part of the critical sector we need to work together to share the information and only it can happen if you have a intelligent sharing to a exchange of information we need to develop some kind of a root system where we try to authenticate I don't know how we need to work with them certainly I will talk to the open group the CEO here how do we work together to create the trust and the root system where we have a trusted transactions across the devices to secure to promote the digital economy until and unless we achieve the trust and integrity I am afraid we will have issue on the transactions there I deal with the IT I deal with the cyber security but I certainly will admit openly I shiver when I have to do the internet transactions on for myself I limited to very very bare transactions there okay let your wife do that you don't do that we need to come out we need to work together and we will explore with the open group how do we achieve how do we make it a part of there also agenda to announce the trust of transactions on the net or announce the trust on cyber transactions friends we are in an era which is becoming more and more complex the cyber is I said all my presentation is a much different era than what we have seen the cyber technology is much much more complex and much more dangerous than the nuclear technology nuclear bomb will come and impact certain kilometer area physically has to be transferred but the cyber area can damage millions of the system can wipe out the million of your assets data sets there information there and simultaneously from one to many many to one and many different areas can go and physically doesn't have to press well we should not take the pitfall of the digital economy the cyber part to stop our digital economy because that's a trend it will continue we have we have no alternative other than to move progressively on the digital economy the country in India is resolved to move that our prime minister is working very seriously on that he takes regular meeting and talks about it but we need to keep the other part and we need to work together so that we address the challenges which this technology is bringing the innovation is bringing on a regular day to day basis I once again thank open group to giving opportunity to share my thoughts and bring out the challenges which we are and which we will face in time to come thank you very much sir we can take couple of questions Steve may I please request you to join Dr. Ryan stage any questions we'll just limit to two please it's an honour and privilege to sit in an audience and hear your good words sir thanks a lot for your presentation just a quick question looking at the way digitalisation is evolving in my humble opinion we are gone past the days when as private enterprises we used to focus only on securing our data with the advent of internet of things mobility and cloud most of our assets are now getting accessed by the end user devices bring your own device was one step in that direction what are your views in terms of building a thriving consortium of public and private partnership in the larger interest of citizen experience to build a very secured infrastructure be it in an area of mobility or internet of things Akshay Dhanak HDFC life you are endorsing what practically I am saying that I said that it's a multi-sigal approach government alone cannot do that and the data is lying we don't know all the data is present there the solution is a public private kind of a approach which we need to follow there and your idea is welcome and we must have a consortium well defined approach how do we lay down their objective their terms of reference and certainly the public private approach only will bring a sort of a can only create higher resilience everything is 100% secure we can only work together creating a system so that we can ask the resilience of our structure for the same I certainly welcome the idea of your public private consortium one more good morning sir this is Venu Gopal from BTP Technologies sir you mentioned about the challenges of devices not being patched and obviously the Indian users are not aware enough or educated enough to manage their devices securely does the government of India intend to have a law which can enforce security patching and update by mobile vendors and telecom service providers for example for devices that they mass produce for example devices from most vendors after they are released they are not regular security updates, quite a few devices in the market today after the first release there is no patching being done by the vendor so you talk about the law what I missed I am looking at sometimes the law can push the prioritization by the vendors in that space no you are talking about the law yeah is there any plan from the government to as part of the IT policy to push for a law in that space to mandate certain levels of standards in patching updates no you see the your question is the last line and the first line was slightly different standard, mandating standard is one part and mandating patching of the mobile phone is slightly different part of it you may try to extend to that but slightly different part of it see the information technology provides provision there are number of provisions to address this issue but there can't be a provision in the law that every mobile device owner or every citizen can patch the device which he owns it's going to be very difficult to enforce it there is a law that if anything happens from your device then you will be held accountable there is a criminal and civil liabilities are there there is a section 43 43A and section 66 66 say in the information technology act which provide the criminal civil liability is there that indirectly tells you that you got to patch your system because any malicious thing coming up you can be booked for the damages the law provides the compensation to victim and the law provides the punishment to the person from the perpetrators also there so there is a law but I find difficult to reconcile the enacting a law where you make every citizen directly to patch it up I have not seen any law anywhere but it's a point which you see let me point out