National Cyber Security Strategy

National Cyber Security Policy, which was first drafted in the wake of reports that the US government was spying on India and there were no technical or legal safeguards against it.

The National Cyber Security Policy is a policy document drafted by the Department of Electronics and Information Technology (DeitY), Ministry of Communication and Information Technology in 2013 aimed at protecting the public and private infrastructure from cyber attacks. The guideline also seeks to protect the personal information of internet users, financial and banking information, and sovereign data.

In 2020, the National Cyber Security Strategy was conceptualised by the Data Security Council of India (DSCI) headed by Lt General Rajesh Pant. The report focused on 21 areas to ensure a safe, secure, trusted, resilient, and vibrant cyberspace for India.

The Policy is aimed at building a secure and resilient cyberspace for citizens, businesses and the Government. Its mission is to protect cyberspace information and infrastructure, build capabilities to prevent and respond to cyber-attacks, and minimise damages through coordinated efforts of institutional structures, people, processes, and technology.

The objectives of the policy include creating a secure cyber ecosystem, compliance with global security standards, strengthen the regulatory framework, creating round the clock mechanisms for gathering intelligence and effective response, operation of a National Critical Information Infrastructure Protection Centre for 24×7 protection of critical information infrastructure, research and development for security technologies, create a 500,000 strong cyber security workforce, to provide fiscal benefits to businesses for adopting cyber security practices, to build public private partnerships for cooperative cyber security efforts.

In brief, the National Cyber Security Policy covers the following aspects:

• A vision and mission statement aimed at building a secure and resilience cyberspace for citizens, businesses and Government.
• Enabling goals aimed at reducing national vulnerability to cyber attacks, preventing cyber attacks & cyber crimes, minimising response & recovery time and effective cybercrime investigation and prosecution.
• Focused actions at the level of Government, public-private partnership arrangements, cyber security related technology actions, protection of critical information infrastructure and national alerts and advice mechanism, awareness & capacity building and promoting information sharing and cooperation.
• Enhancing cooperation and coordination among all the stakeholder entities within the country.
• Objectives and strategies in support of the National Cyber security vision and mission.
• Framework and initiatives that can be pursued at the Government level, sectoral levels as well as in public-private partnership mode.
• Facilitating monitoring key trends at the national level such as trends in cyber security compliance, cyber attacks, cyber crime and cyber infrastructure growth.

National Cyber Security Policy: Strategies

• Creating a secure cyber ecosystem through measures such as a national nodal agency, encouraging organisations to designate a member of senior management as the Chief Information Security Officer and develop information security policies.
• Creating an assurance framework .
• Encouraging open standards.
• Strengthening the regulatory framework coupled with periodic reviews, harmonization with international standards, and spreading awareness about the legal framework.
• Creating mechanisms for security threats and responses to the same through national systems and processes. National Computer Emergency Response Team (CERT-in) functions as the nodal agency for coordination of all cyber security efforts, emergency responses, and crisis management.
• Securing e-governance by implementing global best practices, and wider use of Public Key Infrastructure.
• Protection and resilience of critical information infrastructure with the National Critical Information Infrastructure Protection Centre operating as the nodal agency.
• To promote cutting edge research and development of cyber security technology.
• Human Resource Development through education and training programs to build capacity.

Need for a National Cyber Security Strategy

• Increasing Number Of Cyber Attacks: As per American cybersecurity firm Palo Alto Networks’ 2021 report, Maharashtra was the most targeted state in India — facing 42% of all ransomware attacks.
  • The report stated that India is among the more economically profitable regions for hacker groups and hence these hackers ask Indian firms to pay a ransom, usually using cryptocurrencies, in order to regain access to the data.
  • One in four Indian organisations suffered a ransomware attack in 2021 — higher the the global average of 21%.
• Cyber Warfare Offensives:
  • The US is just one of many countries that have invested significant amounts of money in developing not just defences against attack, but the ability to mount damaging cyber warfare offensives.
  • The countries which are believed to have the most developed cyber warfare capabilities are the US, China, Russia, Israel and the United Kingdom.
• Increased Digital usage Post-Covid:
  • Critical infrastructure is getting digitised in a very fast way — this includes financial services, banks, power, manufacturing, nuclear power plants, etc.
• For Protecting Critical Sectors:
  • It is particularly significant given the increasing interconnectedness of sectors and proliferation of entry points into the internet, which could further grow with the adoption of 5G.
  • There were 6.97 lakh cyber security incidents reported in the first eight months of 2020, nearly equivalent to the previous four years combined, according to information reported to and tracked by the Indian Computer Emergency Response Team (CERT-In).
• Recent Cyber Attacks:
  • There has been a steep rise in the use of resources like malware by a Chinese group called Red Echo to target “a large swathe” of India’s power sector.
  • Red Echo used malware called ShadowPad, which involves the use of a backdoor to access servers.
  • The Chinese hacker group known as Stone Panda had “identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India.
• For Government:
  • A local, state or central government maintains a huge amount of confidential data related to the country (geographical, military-strategic assets etc.) and citizens.
• For Individuals:
  • Photos, videos and other personal information shared by an individual on social networking sites can be inappropriately used by others, leading to serious and even life-threatening incidents.
• For Businesses:
  • Companies have a lot of data and information on their systems.
  • A cyber attack may lead to loss of competitive information (such as patents or original work), and loss of employees/customers’ private data resulting in complete loss of public trust in the integrity of the organisation.

What are the Main Components of the National Cyber Security Strategy?

• Large Scale Digitisation of Public Services: Focus on security in the early stages of design in all digitisation initiatives.
  • Developing institutional capability for assessment, evaluation, certification, and rating of the core devices
  • Timely reporting of vulnerabilities and incidents.
• Supply Chain Security: Monitoring and mapping of the supply chain of the Integrated Circuits (ICT) and electronics products.
  • Leveraging the country’s semiconductor design capabilities globally at strategic, tactical and technical levels.
• Critical Information Infrastructure Protection: Integrating Supervisory Control And Data Acquisition (SCADA) security
  • Maintaining a repository of vulnerabilities.
  • Preparing an aggregate level security baseline of the sector and tracking its controls.
  • Devising audit parameters for threat preparedness and developing cyber-insurance products.
• Digital Payments: Mapping and modelling of devices and platforms deployed, supply chain, transacting entities, payment flows, interfaces and data exchange.
• State-Level Cyber Security: Developing state-level cybersecurity policies,
  • Allocation of dedicated funds,
  • Critical scrutiny of digitization plans,
  • Guidelines for security architecture, operations, and governance.
• Security of Small And Medium Businesses: Policy intervention in cybersecurity granting incentives for a higher level of cybersecurity preparedness.
  • Developing security standards, frameworks, and architectures for the adoption of the Internet of Things (IoT) and industrialisation.

What steps does the report suggest?

• Budgetary Provisions: A minimum allocation of 0.25% of the annual budget, which can be raised upto 1% has been recommended to be set aside for cyber security.
  • In terms of separate ministries and agencies, 15-20% of the IT/technology expenditure should be earmarked for cybersecurity.
  • It also suggests setting up a Fund of Funds for cybersecurity and providing Central funding to States to build capabilities in the same field.
• Research, Innovation, Skill-Building And Technology Development: The report suggests investing in modernisation and digitisation of ICT, setting up a short and long term agenda for cyber security via outcome-based programs and providing investments in deep-tech cyber security innovation.
  • DSCI further recommends creating a ‘cyber security services’ with cadres chosen from the Indian Engineering Services.
• Crisis Management: For adequate preparation to handle a crisis, DSCI recommends holding cybersecurity drills which include real-life scenarios with their ramifications.
• Cyber Insurance: Cyber insurance being a yet to be researched field, must have an actuarial science to address cybersecurity risks in business and technology scenarios as well as calculate threat exposures.
• Cyber Diplomacy: Cyber diplomacy plays a huge role in shaping India’s global relations. Hence cyber security preparedness of key regional blocks like Bay of Bengal Initiative for Multi-Sectoral Technical and Economic Cooperation (BIMSTEC) and Shanghai Cooperation Organisation (SCO) must be ensured via programs, exchanges and industrial support.
  • To further better diplomacy, the government should promote brand India as a responsible player in cyber security and also create ‘Cyber envoys’ for the key countries/regions
• Cybercrime Investigation: With the increase in cybercrime across the world, the report recommends unburdening the judicial system by creating laws to resolve spamming and fake news.
  • It also suggests charting a 5-year roadmap factoring possible technology transformation, setting up exclusive courts to deal with cybercrimes and removing the backlog of cybercrime.
  • Moreover, DSCI suggests advanced forensic training for agencies to keep up in the age of AI/ML, Blockchain, IoT, Cloud, Automation.

Evaluation

• The objectives and strategies of the policy are comprehensive; however, translating them fully into operations remains a challenge.
• Protection to civil liberties of Indians including privacy rights have not been as desired.
• Alleged surveillance projects continue to make civil liberties protection in cyberspace difficult to achieve.
• The offensive and defensive cyber security capabilities of India require lot to be done.
• India is considered to be a highly vulnerable in cyberspace and cyber security field and the proposed cyber security policy has failed to change this position.

Way Forward

• Experts have suggested the setting up of a National Cyber Security Agency (NCSA) to address cyber security issues and improve implementation at a national level. Such an agency is suggested to be equipped with staffs that are technically proficient in both defensive and offensive cyber operations, to encrypt platforms and collect intelligence.
• Setting up of a National Cyber Coordination Centre (NCCC) as a cyber-security and e-surveillance agency, to screen communication metadata and co-ordinate the intelligence gathering activities of other agencies.
• In general, stronger operating system kernels, faster anti-virus software and virus detection, tougher firewalls and Internet browsers—are just some of the steps taken to help cut down on the vulnerabilities present in today’s network architecture.
• The partnership of Government and Private Sector continue to be necessary step needed because the majority of the country’s cyber resources are controlled by entities outside of government.
• A long-lasting and functional partnership between government and the information technology industry, facilitated by the Government of India, will help make cyber space more secure.
• There is a need to increase the number of cyber security experts and IT security auditors, in which the country is facing a crisis at present.
• India is fortunate to have pool of talent in the private IT sector which can be fruitful if used in the proper way. The experts of cyber security in the private sector can be invited to train the government cyber security professionals and can help in conducting security drills from time to time in the government and other cyber networks of the country.
• It is hoped that the Government’s initiatives can keep pace with the rapidly changing nature of cyber-attacks.