But the National Cyber Security Policy,2013,is short on detail
Cyberspace is a new global commons,albeit of a different kind. It is man-made,with infrastructure the information and communications technology (ICT) that is owned by different countries,but is part of the cyber commons. Cyber attacks against the infrastructure of any country can come from anywhere in the world,with tracks that can be successfully hidden. No wonder the global cyber commons requires international cooperation to identify cyber attackers. Nations need to protect their respective cyber boundaries,even though cyber space is borderless. This is done through appropriate instruments,including policies,legislation,security programmes,awareness and training. The launch of the National Cyber Security Policy (NCSP),2013,is a welcome step.
The government has taken several steps to enhance cyber security in the country. The first major step was the setting up of the Indian Computer Emergency Response Team (CERT-In) in 2002-03,to create awareness on cyber threats,understand vulnerabilities and devise ways to mitigate them. The National Technical Research Organisation (NTRO) was given the responsibility of protecting the critical information infrastructure (CII),and of developing offensive capability. The latter has done precious little.
The Information Technology Act,as amended in 2008,has raised the level of awareness about cyber crimes. It has identified many kinds of cyber attacks,including unauthorised access,spreading virus and spam,identity theft,voyeurism,bodily privacy compromise and cyber terrorism. It helps prosecute cyber criminals. But a comprehensive national cyber security strategy that empowers different agencies with coordination at the highest level is essential to secure Indias cyberspace. The NCSP articulates a broad policy structure.
A sound cyber security strategy should be based on a strong coordination mechanism that can lead the nation in awareness,education security standards and their effective implementation,confirmed through independent audits,as well as information sharing on threats and vulnerabilities,incident management,technology and practices development led by the private sector and clarity on the role of different government agencies. The NCSP takes a holistic view of the challenges and details strategies to address them. The policy presents a complete ecosystem for a secure computing environment,keeping in view the latest developments in other countries. The challenge,however,is implementing the policy and defining the specifics.
The NCSP encourages organisations to enhance cyber security through various measures,but it mandates implementation and auditing of such measures by the e-governance services and critical information infrastructure,even though it does not specify what constitutes such infrastructure. The policy provides for incentives to the private sector to invest in security beyond their business requirements,since complete reliance on the market-driven approach has proved inadequate for national security. But there are overtones of possible regulation too. The government has to keep in mind that intervention through regulations should not undermine business innovation or make it uncompetitive. Only when the market driven approach fails should the government think of lightweight legislation for the CII. But that should be developed in partnership with industry. The proposal for creating a new entity focused on CII protection,the National Critical Information Infrastructure Protection Centre,is laudable,but given that the NTRO has made almost no progress,it is not clear how this will help. An important focus area of the NCSP is indigenous development of cyber security products for the widespread deployment of security ICT products,and to address national security requirements. Giving preference to indigenous products for national security reasons may not be the right policy direction: domestically developed products may not reduce risks unless they are tested globally in a real life environment. To address these risks without affecting business competitiveness and the countrys image as a promoter of global trade and market,India should build its capacity to mitigate ICT supply chain hazards.
Against the backdrop of the PRISM revelations,it is commendable that one of the NCSPs objectives is to enable safeguarding the privacy of citizens data,even though no specific strategy has been mentioned in the policy. Moreover,the need to create five lakh security professionals is a huge challenge. It requires setting up massive informal training and certification infrastructure. It is important to understand the possible implications of the policy when drafting the action plan. Further,the policy implementation plan must take cognisance of initiatives undertaken or planned by different entities. It should then take a cohesive and collaborative approach to achieve the desired outcomes and avoid duplication of efforts.
The writer is CEO,Data Security Council of India.
He was the founder director, CERT-In.
Views are email@example.com