You could be in cyber warfare, quite unawares: Prashant Mali

At the IDG Security Day Symposium, Prashant Mali, noted cyber law expert, shares his thoughts on cyber warfare, and the pitfalls awaiting the modern day CISOs.

Cyber warfare could be a larger subset of cyber security. The infrastructure a CSO manages is the only infrastructure which cyber attacker uses to progress their cyber warfare ambitions, and once it gets used, where does a CSO stand? Many of the CSOs won’t know how their infrastructure is being used by these threat actors, said Prashant Mali, cyber law expert. He was addressing the top-notch CSO audience at IDG Security Day and CSO100 Awards ceremony in Faridabad.

Talking about the adverse effects of crypto mining, Mali said, “Majority of the crime scene happens in the international arena. In majority of the terrorist activities, money is exchanged in cryptocurrencies. If your IT infrastructure is being used to mine this cryptocurrency which gets into a point where terrorism is an issue, you become a part of the global evidence or your infrastructure becomes a part of it.”

Watch Prashant Mali address India's top-notch security heads at the IDG Security Day & CSO100 Awards. Prefer to read the edited excerpts? Read on.


Maintaining IT hygiene is a must for any CSO; especially keeping an eye on cryptojacking or cryptomining software. 

Currently, the government of India is planning to localize all data. It is now the responsibility of every CSO to take measures to protect it. In case of wrong doing the first to be investigated or arrested will be a CSO. He says, “The CSO will also have to take a look at the GDPR. If you are harboring data from Europeans then you will be accountable for it and hence you have to keep in mind about the GDPR as well.” 

CSO or DPO or the board: Who carries the risk?

The new act could also produce a new designation like Data Protection Officer (DPO). India's data privacy law, which is being prepared by the government, could be launched in the coming months. 

Mali feels, “The role of DPO can also be taken up by a CSO. However I strongly feel it will be an added responsibility for which you won’t get paid. Difference between a CSO and DPO is a debatable topic. With the new data protection laws coming up, the government could also announce jail terms for offenders related to cyber-crimes. So who should take up the role? It could be a CSO and a law head or it could be a legal head who could take the added responsibility. 

Everyone wants a piece of data from India at the moment. Every country is looking for it, especially China which is said to have taken a bit including encrypted data, and they are waiting for quantum computing to happen so that they can decrypt them. 

“CSO needs to protect the data. If the data is taken by your organization today, and you come to know of it after three years, you can imagine the liability you carry. It is important what steps a CSO takes with the board and make sure that he or she doesn't take all the risk on their head”. 

CSO needs to do a privacy compliance or a privacy gap analysis in their organization right now. They should also find out from their legal advisor if GDPR is applicable to them, and if yes then where it is applicable.