Rai's 5-Point Plan to Secure Digital IndiaSecurity Leaders Ask: What's New About This Agenda?
The security industry has always had its ear to the ground regarding India's national cybersecurity coordinator Dr. Gulshan Rai's plan to fight growing cyber threats and establishing a secure digital India.
A recent message to enterprises by Rai during a conclave in Kolkata on "Securitisation of Digital India" emphasized the need to have an international legal framework to make users secure in cyberspace, given the entire data is on cloud. This was one element of his five-point agenda to secure digital India (see: Securing Digital India From Fraud ).
Rai's key refrain is that cybersecurity complexity can only be resolved with a multistakeholder approach, with the industry participating in building the wherewithal for a cybersecure ecosystem
While the agenda seems relevant, the question is whether this plan is new, or just old wine in a new bottle to keep the momentum going.
A practitioner, requesting anonymity, said, "I have to admire Dr. Rai's consistency in reiterating the same recommendations to secure digital India; he stands by the same statements for many years."
The 5-Point Security Agenda
Rai's key refrain is that cybersecurity complexity can only be resolved with a multistakeholder approach with the industry participating in building the wherewithal for a cybersecure ecosystem (see: Rai on Complexity of Cybersecurity).
Against this, his five-point focus is:
- Bringing an international framework to tackle cloud challenges owing to cross-border issues;
- Creating awareness around online-threats among users;
- Focusing on Make in India to develop India's own software and hardware;
- Tackling issues around people, process and technologies;
- Targeting skill development and capacity building with security by design.
"Digital revolution will rise and spread out. The government's doing much, but the prime part is creating awareness among the people. Technology can protect your device but it needs people, process, technology, to handle technology," Rai says.
Does he bring anything new to the table? Definitely not. While he's constantly insisting on a multistakeholder approach, given that cybersecurity will be an important focus, and inviting private and public support for R&D, and creating awareness and skill development, systematic procedures for these are lacking.
These five sanctions were prescribed by Rai in the National Cyber Security Policy in 2013. What must change is discussing the modus operandi of fulfilling these five tasks and evolving a pragmatic framework.
Security experts question whether India can hope to see new areas of focus and new models to implement cybersecurity judiciously, and whether the dialogues can spark policy evolution, with a dedicated legislation to protect and preserve its cybersecurity and sovereignty.
Even Rai's statement about bringing an international framework to protect data in the cloud isn't new: it's one of the criteria set as part of the best practices during US-India cyber talks last year (see: Analysis: U.S., India Cyber Talks).
What must be different? Rai must articulate a definite short-term and long-term strategy to enhance cybersecurity skills and develop new frameworks for a multistakeholder model, incident response mechanism, and enact new legislation to challenge current day threats.
Vital for Securing Digital India
It isn't an exaggeration to say that although the government's outspoken about implementing security in its initiatives, there's no clear road map.
The Modi government has allocated a substantial budget to security in Digital India, but traction on the ground is much solicited with tangible projects rolled out (see: Digital India Raises Security Concerns).
In a blog in the Economic Times recently, Kamlesh Bajaj, founder of DSCI, said, referring to borderless digital space, "Digital India will spawn more cybercrime. Because of the borderless nature of cyberspace, evidence has to be collected from trails that maybe in networks and servers anywhere in the world."
India, too, is a victim of major cyberattacks, and with information about attackers being locked in servers in the U.S., it must scale up its own capabilities - notably in online national networks of criminals - and online feeds on cyber threats from networks across the country must be directed into a central repository for collating and relaying them to all those likely to be impacted, he says.
I believe Rai's immediate task is to evolve a blueprint on real-time steps taken to address digital India's concerns. A workable private-public partnership model is needed, with a strong information sharing platform on a real-time or near real-time basis, providing feeds on malicious cyber threats and attacks and appropriate mechanisms to address these.
Some key imperatives he can include in his agenda:
- Develop an enterprise security ecosystem involving key groups;
- Enhance capabilities of law enforcement Agencies across the country jointly working with LEA groups;
- Expedite the process of enacting new, dedicated cybersecurity legislation because the Information Technology Act 2000 is incapable of addressing cybersecurity challenges of the current times;
- Evolve a model to strengthen the legal support system to address cybercrime-related cases;
- Cybersecurity is not a technology problem that can be 'solved.' Rather, it is a risk to be managed by a combination of defensive technology, astute analysis and traditional diplomacy.
A key parameter in securing digital India, says Sid Deshpande, principal analyst at Gartner India: "Digital platforms must be viewed as critical infrastructure and treated accordingly - adequate security incident detection and response must be enabled in a centralized manner."
So, what kind of capabilities, response mechanism, institutional structures and effective operational policy do you believe we should expect from Rai?