Does India Need a New Cyber Policy?Experts: It Must be Clear, Practical and Operational
Information security experts argue that India's current "National Cyber Security Policy is restricted to being merely a draft paper and leaves much to be desired in chalking out a clear implementation strategy.
See Also: EMA Zero Trust Networking Research Summary
"The existing policy talks about threats and cyber security, but the institutional mechanism to run the functions, role of stakeholders in the cyber security life cycle, and classification of threats are missing," says Neeraj Aarora, Cyber Lawyer & Forensic Examiner. "There is no clear differentiation between InfoSec and cybersecurity frameworks."
The discussion comes in the wake of India's Prime Minister Narendra Modi emphasizing the need for having a 'digital armed force' in conjunction with the 'Digital India" initiative for the country to face the increasing threats that cyberspace poses.
To meet the objective and create a task force to prevent cybercrime, a definitive mandate to review India's National Cyber Security Policy is essential, experts say.
The National Cyber Security Policy, approved in July 2013, outlines the basic objectives and strategies "to build a secure and resilient cyberspace for citizens, businesses and the government." It also envisages facilitating the creation of a secure computing environment and enabling adequate trust and confidence in electronic transactions, as well as guiding stakeholders' actions for protection of cyber space. However, experts say, the document has been laid out very broadly, and implementation plans must be clearly defined.
Where Are the Gaps?
Officials from the Department of Electronics and Information Technology have a positive outlook on the issue. They believe the policy has led to actions relating to creation of national structures and mechanisms with the involvement of relevant stakeholders, for generating a macroscopic view and advanced proactive actions.
But High Court Advocate Prashant Mali, a cyber-law & cyber security expert, says the policy is broad-based. Disheartened that it has not reached any milestones, and that everything about it looks foggy as promises made have not been kept, he asks, "Where is the amount of Rs 500 crore allocated in the Union budget for training in cyber security awareness being spent? None of the projects are visible."
V Rajendran, President of Cyber Society of India, says the policy does not clearly and boldly address individual rights of privacy, right of expression vs the government's duty to protect data and its right to intercept whenever required.
He says the government must spell out what it considers data privacy, information secrecy, individual rights to privacy, intermediaries' duty towards the government vs their duty towards their customers' right to have privacy, etc.
"Clarity in the operational methodology is lacking," Rajendran says. "Strategic planning to involve the state government or private players in executing the framework is not clearly articulated."
But Dr. Gulshan Rai, Director General of Indian Computer Emergency Response Team, disagrees. He argues the policy is quite comprehensive in covering a broad range of security issues. As such, it does not need changes at its level.
However, he acknowledges that strategic objectives must be supplemented with clear-cut road maps at all levels. "Specific actions are already underway to identify and execute the actions in terms of institutional mechanisms, infrastructure, PPP engagements and information sharing and cooperation," Rai says.
Thrust on PPP model
The Public Private Partnership model framework has been an area of concern. Experts say there should be a sub-policy on which are the sectors where the PPP model is implemented with absolute transparency. Mali insists states and their ministries should be actively involved in implementing the policy stringently. This is not so currently, as many states do not have an adjudicating officer.
Aarora finds the PPP model has not been put to full use because of the challenges of technological evolution and need for skilled resources.
ICERT's Dr Rai finds private sector involvement against all odds quite encouraging.
A joint working group involving professionals from the government and private sectors is in place to guide action. "Policy stability and conducive partnership arrangements with sufficient clarity on the nature of participation is expected to incentivise the PPP model," says Dr Rai.
Right Policy Measures
The first step is to get all the cybercrime cells to be certified by CERT-IN or any other authorized body, with periodic security audits. Dr K Harsha, Chief Security Architect for HK Group, expects the policy to focus on critical and highly vulnerable domains, rather than take a common approach.
Mali insists, "The policy should aim at developing 'India Cyber Security Standard Version 1.0' and not rely on global purchasable standards."
In very clear terms, Aarora says the key requirements are classification of threats, independent institutional mechanism to monitor the performance/outcome of the activities of the security lifecycle, periodical amendment of the information system audit requirement, and having the IT Act incorporate security as an inherent risk assessment measure.
Fighting against cyber terrorism, enhanced coordination among all government agencies on information sharing, cyber security monitoring or regulating agency, among others, are future focus areas.
As a future measure, ICERT seems to lay emphasis on cyber security issues and threats targeting the mobile eco-system. Use of social media for malicious activities and its potential for interference to affect social order and national security, will draw greater attention, as will big data and internet of things.
Dr Rai believes that it is essential to develop global cyber space norms to regulate and guide responsible behaviour in cyber space. Simultaneously, nation states must share information and cooperate in responding to malicious activities in cyber space.