With an aim to monitor and protect information and strengthen defences from cyber attacks, the National Cyber Security Policy 2013 was released on July 2, 2013 by the Government of India. The purpose of this framework document is to ensure a secure and resilient cyberspace for citizens, businesses and the government. With rapid information flow and transactions occurring via cyberspace, a national policy was much needed.
The document highlights the significance of Information Technology (IT) in driving the economic growth of the country. It endorses the fact that IT has played a significant role in transforming India’s image to that of a global player in providing IT solutions of the highest standards.
The Cyber Security Policy aims at protection of information infrastructure in cyberspace, reduce vulnerabilities, build capabilities to prevent and respond to cyber threats and minimize damage from cyber incidents through a combination of institutional structures, people, process, technology and cooperation. The objective of this policy in broad terms is to create a secure cyberspace ecosystem and strengthen the regulatory framework. A National and sectoral 24X7 mechanism has been envisaged to deal with cyber threats through National Critical Information Infrastructure Protection Centre (NCIIPC). Computer Emergency Response Team (CERT-In) has been designated to act as a nodal agency for coordination of crisis management efforts. CERT-In will also act as umbrella organization for coordination actions and operationalization of sectoral CERTs. A mechanism is proposed to be evolved for obtaining strategic information regarding threats to information and communication technology (ICT) infrastructure, creating scenarios of response, resolution and crisis management through effective predictive, prevention, response and recovery action.
The policy calls for effective public and private partnership and collaborative engagements through technical and operational cooperation. The stress on public-private partnership is critical to tackling cyber threats through proactive measures and adoption of best practices besides creating a think tank for cyber security evolution in future.
Another strategy which has been emphasized is the promotion of research and development in cyber security. Research and development of trustworthy systems and their testing, collaboration with industry and academia, setting up of ‘Centre of Excellence’ in areas of strategic importance from the point of view of cyber and R&D on cutting edge security technologies, are the hallmarks of this strategy laid down in the policy.
The policy also calls for developing human resource through education and training programmes, establishing cyber security training infrastructure through public private partnership and to establish institutional mechanisms for capacity building for law enforcement agencies. Creating a workforce of 500,000 professionals trained in cyber security in the next 5 years is also envisaged in the policy through skill development and training. The policy plans to promote and launch a comprehensive national awareness programme on security of cyberspace through cyber security workshops, seminars and certifications with a view to develop awareness of the challenges of cyber security amongst citizens.
The policy document aims at encouraging all organizations whether public or private to designate a person to serve as Chief Information Security Officer (CISO) who will be responsible for cyber security initiatives. Organizations are required to develop their information security policies properly dovetailed into their business plans and implement such polices as per international best practices. Provisions of fiscal schemes and incentives have been incorporated in the policy to encourage entities to install trustworthy ICT products and continuously upgrade information infrastructure with respect to cyber security.
The release of the National Cyber Security Policy 2013 is an important step towards securing the cyber space of our country. However, there are certain areas which need further deliberations for its actual implementation. The provisions to take care security risks emanating due to use of new technologies e.g. Cloud Computing, has not been addressed. Another area which is left untouched by this policy is tackling the risks arising due to increased use of social networking sites by criminals and anti-national elements. There is also a need to incorporate cyber crime tracking, cyber forensic capacity building and creation of a platform for sharing and analysis of information between public and private sectors on continuous basis.
Creating a workforce of 500,000 professionals needs further deliberations as to whether this workforce will be trained to simply monitor the cyberspace or trained to acquire offensive as well as defensive cyber security skill sets. Indigenous development of cyber security solutions as enumerated in the policy is laudable but these solutions may not completely tide over the supply chain risks and would also require building testing infrastructure and facilities of global standards for evaluation.
Indian Armed forces are in the process of establishing a cyber command as a part of strengthening the cyber security of defence network and installations. Creation of cyber command will entail a parallel hierarchical structure and being one of the most important stakeholders, it will be prudent to address the jurisdiction issues right at the beginning of policy implementation. The global debate on national security versus right to privacy and civil liberties is going on for long. Although, one of the objectives of this policy aims at safeguarding privacy of citizen data however, no specific strategy has been outlined to achieve this objective.
The key to success of this policy lies in its effective implementation. The much talked about public-private partnership in this policy, if implemented in true spirit, will go a long way in creating solutions to the ever-changing threat landscape.
BY Sanjiv Tomar