Cyber Security Policy of India July 2013

Raveen Janu 2013-07-22

The role of technology including communications and information technology (IT) will be crucial to India’s pursuit of a faster, more inclusive and sustainable growth as envisaged by the draft of the 12th Five Year Plan. According to reports, in 2011 alone India witnessed nearly 13,000 cyber attacks but, the gravest challenge is damage assessment post the cyber attack. The release of the Cyber Security Policy (CSP) of India on 2nd July 2013 is an important step in recognising the criticality of these technologies. India has been recognised as provider of world class IT and telecom products and services for over a decade now. The much awaited although delayed CSP 2013 is a right step in protecting and furthering the strategic objectives of our nation. India’s dependence on IT and telecom will only increase in the years to come with greater emphasis of the government on e-governance programmes. The intent, ability and motivation of the government and other crucial stakeholders to protect critical infrastructure, information, technologies and people will be the deciding factor in the survivability and success of these high end technologies to achieve the twin goals of strategic advantage and equitable socio-economic justice.

The analysis of the policy reveals its strengths and shortcomings at the same time. This is expected of a new policy which is operating in such high a tech and dynamic environment, at the cutting edge of science. First, some of the key limitations of the CSP 2013 will be discussed. The policy framework outlined is very broad in nature which is both an advantage as it provides flexibility but, the downside is the lack of detailed action plans to achieve the outlined objectives. In India the IT infrastructure in government and general public use is not state of the art.  In rest of the cases cyber security is understood mainly in terms of anti-viruses and firewalls, the far reaching scope of the policy seems unachievable in the short term. The ability to respond to any cyber attack requires identification and attribution of the source of attack within acceptable levels of surety. Even the developed countries of the world have limited capabilities in this domain and are thus, constrained in their ability to respond in a commensurate manner.

The principles and the balancing of national security versus the privacy laws of citizens have not been clearly articulated in the policy and would be a source of friction in the future. The policy doesn’t make any references to the IT Act 2000 which was a law passed by the legislature having precedence over the policy issued by the executive/government of the day in case of variance or conflict. The concept of checks and balances is also obscure relating to how data will be collected, processed, analysed and distributed and for what purpose, in order to safeguard the policy against misuse by vested interests. Another cause of concern is the budget to be set aside by the government and ministries to implement the policy, which is left to them to decide.

The capacities of countries including China, Russia, USA, etc. are manifold as compared to India’s due to huge investments, clear policy directions and trained manpower. India has to take on the task of securing our critical infrastructure and information on a war footing with clearly specified policy objectives in order to create skills and capabilities in a rational time frame to counter the global threat to cyber misuse. USA has been accusing China of stealing its secrets and critical technology information through acts of hacking, sabotage, etc. meaning China does have realistic capabilities of exploiting cyber space. Another example is the “Edward Snowden” controversy exposing the US government’s PRISM programme. USA has not only spent millions of dollars on PRISM but, the seriousness of the initiative can be understood by the fact that National Security Agency (NSA) employs nearly the maximum number of mathematicians in the world which is an indicator of its potential to collect and make sense of the vast amounts of data in the cyber realm. All these countries have forward looking programmes to not only protect their own turf but, to exploit the vulnerabilities of the other side. The gains afforded even in a conventional conflict scenario cannot be ruled out, as was demonstrated in the Russia-Georgia conflict (2008) and the lesser known Israeli aerial bombing of Syrian nuclear facility (2007) by disabling its air defence network through initial cyber attacks. India has been investigating some high profile cyber attacks and cyber crimes. These include investigation of Duqu malware, international ATM heist case, CBI website defacement case, CUPPS infection case, etc. India cannot afford to be left behind as the stakes are too high and the gap with adversaries will only increase with time, ultimately affecting our security and prosperity.

The policy also has considerable positive aspects which make it an important instrument in India’s security matrix. The policy includes a formal assessment of what constitutes India’s critical infrastructure sectors and the designation of critical technology sectors which will be crucial to our nation’s peace and prosperity. The policy has earmarked for the creation of a nodal agency at the centre to direct all efforts, assign responsibilities and perform advisory functions for all stakeholders concerned. The central agency will monitor the accomplishment of policy goals and uphold the tenets of accountability. The policy envisages an ambitious goal of training nearly 500,000 cyber security professionals in the next five years which will have considerable potential capabilities equivalent to an army of IT warriors. The public private partnerships (PPP) have been identified as the key to implementing the policy on ground and the government has openly endorsed and welcomed the participation of India’s private telecom and IT companies. The involvement of private sector in this endeavour is indispensable as the Department of IT has already identified infrastructures that are classified as critical information infrastructure, namely Defence, Finance, Energy, Transportation and Telecommunications. Of these, only defence and energy has majority government share rest all are dominated by private players. Key services under the national e-governance plan resulting in nearly 1.56 crore e-transactions per month will be protected under the CSP. It will be crucial to the successful delivery of many government IT enabled programmes including “e-Bharat”.

India needs to set up and promote centres of excellence for cyber security and techno-legal research. However, the policy is silent on the requirement to develop cyber offensive capabilities alongside cyber defense and security. The policy should be flexible and dynamic in nature to incorporate the ever-changing environment of the cyberspace. There is a need to involve not only industries and ministries but also academia, institutes of higher education and research labs to create an enabling cyber eco-system. The CSP policy will play a crucial role in defining the State of the Nation in the years to come through its ability to deliver on its vision- “To build a secure and resilient cyberspace for citizens, businesses and Government”.

By Special Arrangement with The Centre For Land Warfare Studies (CLAWS) (http://www.claws.in)