Encryption is a societal question…needs healthy debate among govt, cos and citizens: Royal Hansen

There is said to be the involvement of a foreign state actor in the recent cyberattack on AIIMS. Are foreign states today thebiggest actors in cyberspace, or are they mostly independent actors?

Google’s Threat Analysis Group (TAG) and Mandiant, which we acquired earlier this year, track around 300 nation state groups. And we see threats from nation state actors continue to grow.

The big players remain to be big, but what’s also happened is that smaller states are also buying exploits and acting bigger. So it is becoming a bigger and bigger issue not because armies are growing in each of these countries. It’s the ecosystem of people buying and selling exploits, data, compromising botnets etc. The lines are becoming very blurry.

Subscriber Only Stories

Premium

Premium

Premium

Premium

In India’s case, it is just like in the USA, that when you are a big player, writing software for the world, and your economy is growing, you are going to be on the attackers’ list. So, Google will be training 40,000 developers on writing secure software.

India should also get rid of legacy infrastructure so that the country is more resilient to cyberattacks.

Is Google having conversations with the Indian government on cybersecurity and how to make their systems more secure?

One of the reasons Google’s global senior leadership is in India is to have meetings with the government along those lines. We will share threat intelligence on things like high end attackers and the trends we are seeing and how we are baking that threat intelligence into our products like Google Pay and Gmail.

What do you think is the biggest cyber threat facing India today? Is it unique to the country?

One of the main issues is the use of legacy infrastructure which is a common trend across the world, not just India. These systems typically become the first point of attack. The difference in India is not the type of attacks, but the pace at which the country has grown. There are more new people participating, businesses growing. So it becomes that much more important that we don’t use legacy systems. You have to be secure by default. Along with that the products also have to be safe.

Companies like Apple and Meta’s WhatsApp have taken essentially a very pro-encryption stance in their products and services. Does Google also think that end-to-end encryption should be the norm for most digital services? Or should there also be consideration for law enforcement purposes and baking some kind of accessibility?

The most important thing is not to view this as just a technical problem. We are talking about societal questions. There is a tendency to say that one technology or one implementation can solve it. Like we have seen in other industries like aviation, naval, healthcare etc. there are always tricky tradeoffs.To me, it is important that governments, companies, tech platforms, and citizens have a healthy debate. I am in favour of a societal approach.

Encryption is a tool and we use it in certain cases. But do I think everything in the world will be end-to-end encrypted? No, because then services can’t be rendered.Yes, there is absolutely a time and place for end-to-end encryption, but what lots of people also want is for a service provider to see and act on their data so that they can give them a convenience.

It is a healthy debate that society needs to have, and we’re not the arbiters of that. I want it to be a societal question.