VAR Panchayat

Cyber Security is Critical

by VARINDIA 2017-04-14

National Security Policy, 2013 remains a statement and it should now be strengthened

Cybercrimes have evolved from the lone-wolf operations of a disgruntled wizkid to that of an organized group often motivated by significant financial gain and/or sponsored by nation‐states, criminal organizations or radical political groups. Today’s attacker fits the following profile: Has far more resources available to facilitate an attack; has greater technical depth and focus; is well funded; and is better organized.

Criminal organizations or rogue nation-states are working with a purpose as sophisticated adversaries who can do malicious things with the most seemingly innocuous bits of information. Today’s threats are more organized across multiple disciplines. In course of time, the attackers have evolved and become more sophisticated, so has security.

It does not take a holistic approach to various technical and legal aspects for compliance. With no dedicated cybersecurity laws in India, other policy documents of the government need to be connected and correlated, such as:

• National Security Policy as well as the right to privacy need to be clearly defined along with legal consequences for breach.

• IT Act, 2000 has become outdated with new and better techno-legal laws now being required.

• National Telecom Policy, 2012 and related pending policies for telecom security and encryption, e-mail and password are pending and a new legal framework needs to be produced.

• Many critical issues need to be addressed for infrastructure protection, viz. e-governance cybersecurity, e-commerce cybersecurity, cybersecurity of banks, cyber terrorism and cyber warfare.

• Security obligations of various stakeholders (such as banks, e-commerce companies, power utilities, government departments, etc) also need to be properly defined and implemented.

• A national security architecture that can assess the nature of cyber threats and respond to effectively is missing.

While no attempt has been made to implement the policy as defined in 2013, an attempt at defining a New Cyber Security Policy in 2015 failed miserably as it did not consider the above aspects and led to public furore where users were burdened with the responsibility to store all encrypted information for at least 90 days.

An overview of India’s cyberspace environment throws up the following two facts:

• India is an exporter of information on a net basis. Popularity of social media platforms and our failure to create similar platforms of our own locally has resulted in data of millions of Indians travelling on digital highways that lead to the West. Most such Internet gateways and related equipment deployed by Internet providers in India are untested despite originating from China.

• With over 500 million using the Internet today (and growing rapidly), using various devices from the cheapest to the most expensive – largely of Chinese origin which have not been checked for remote access, we are prone to large-scale hacking.

With these circumstances, where National Security Policy, 2013 remains a statement of principles and intent, it should now be strengthened with a doctrine defining an implementable national cyber strategy covering the following:

We have skilled IT workforce that is globally recognized. India should focus on harnessing such skilled manpower in a manner which creates a cadre of skilled cyber specialists with appropriate pay and benefits. Similar to the current cadre of IAS and trained tary personnel, a technically competent cadre of IP specialists should be created which attracts the best Indian talent through competitive evaluation.

Industry – both public and private sectors needs to be closely involved in adopting best practices for cybersecurity, particularly in infrastructure which services large swatches of our population such as oil & gas, telecom, banking, power, water, food supplies, etc. All the encryption work at any level should necessarily be linked to individual’s/institution’s digital footprint in a manner such that while it does not compromise the encryption security, at any stage, it provides a digital trail for forensics by the government.

We need to create a National Cyber Security Authority as a functioning secretariat with proficient permanent and semi-permanent staff that continuously develops skills in defensive and offensive cyber operations. All existing agencies of the government such as intelligence agencies, NTRO, etc should be part of its policy wing that provides latest threat assessments.

In view of the offensive cyber capabilities already being used against us by Pakistan and China, our need of the hour is not only to build defensive capabilities but also similar offensive capabilities designed to intrude, intercept and exploit digital networks as a cyber arsenal. This will function as deterrence with powers for its use resting with the PMO (as in the case of nuclear command) with parliamentary control. A legal framework should also be put in place to regulate use of such cyber capabilities on domestic networks under use of Indian citizens.