The Department of Information Technology issued a discussion draft on National Cyber Security Policy (“Policy”) in the beginning of this year that aims to foster a secured computing environment and adequate trust & confidence in electronic transactions. The IT sector has become one of the most significant growth catalysts for the Indian economy. IT sector with its ubiquitous nature is also playing a tremendous role in influencing the lives of its users in various spheres as employment, standard of living and diversity among others. The government has been a key driver for increased adoption of IT-based products and solutions in the country through various IT-enabled initiatives including in public services, healthcare (telemedicine, remote consultation, and mobile clinics), education (e-Learning, virtual classrooms, etc) and financial service (mobile banking/payment gateways), etc. In addition, government has enabled increased IT adoption through sectors reforms and National programmes such as National eGovernance Programmes (“NeGP”) and the Unique Identification Development Authority of India (“UIDAI”) programme that create large scale IT infrastructure and promote corporate participation.
Through this bulletin we shall analyze whether the Policy substantially addresses several areas and processes related to cyber security, particularly incident response, vulnerability management and infrastructure security. We shall also go through the Policy and understand its constraints and make certain suggestions for improvement.
1. Key considerations of the Policy
- The Policy provides for the following key considerations for securing the cyber space:
- The security of cyber space is not an optional issue but an imperative need in view of its impact on national security, public safety and economic well-being.
- The issue of cyber security needs to move beyond traditional technological measures such as anti-virus and firewalls. It needs to be dynamic in nature and have necessary depth to detect, stop and prevent attacks.
- Cyber security intelligence forms an integral component of security of cyber space in order to be able to anticipate attacks, adopt suitable counter measures and attribute the attacks for possible counter action.
- Effective correlation of information from multiple sources and real-time monitoring of assets that need protection and at the same time ensuring that adequate expertise and process are in place to deal with crisis situations.
- There is a need to focus on having a suitable security posture and adopt counter measures on the basis of hierarchy of priority and understanding of the inter dependencies, rather than attempting to defend against all intrusions and attacks.
- Security is all about people, process and technology and as such there is a clear need for focusing on people and processes while attempting to use the best available technological solutions, which otherwise could prove ineffective.
- Use of adequately trained and qualified manpower along with suitable incentives for effective results in a highly specialized field of cyber security.
- Security needs to be built-in from the conceptual design stage itself when it comes to developing and deploying critical information infrastructure, as opposed to having security as an afterthought.
The key principles of cyber security critical to the private sector includes, recognizing the borderless, interconnected and global nature of today’s business, flow of information, cyber environment, ensuring rapid response to emerging threats and adapting to emerging technologies and other uses of information, using flexible and risk-based policy, enhancing awareness and focusing on addressing and preventing loss.
2. Is there a need for action?
The augmentation of IT sector in the country is propelling rapid social transformation & inclusive growth. With increasing usage of IT in day-to-day activities, it has become essential to secure computing environment and adequate trust & confidence in electronic transactions. It is equally crucial that the cyber security environment should match with the security already in place in the globally networked environment. This task is essentially an ever evolving task and requires persistent efforts from all quarters. The Policy, therefore, aims to create a cyber security framework, which will address all the related issues over a long period. Essentially, the Policy caters for the whole spectrum of IT users and providers including small and home users, medium and large enterprises and government & non-government entities. The framework will lead to specific actions and programmes to enhance the security posture of India’s cyber space.
The threat perception is another vital element that prompts to take some action in this sphere. The Policy explains that the existing and potential threats in the sphere of cyber security are among the most serious challenges which emanate from a wide variety of sources, and manifest themselves in disruptive activities that target individuals, businesses, national infrastructures, and governments alike. Their effects carry significant risk for public safety, the security of nations and the stability of the globally linked international community as a whole. So addressing them effectively is a key issue.
3. Priorities for action
Assuring security of cyber space, the Policy provides for creating a secure cyber eco- system that includes a series of enabling processes, direct actions and cooperative & collaborative efforts within the country and beyond, covering:
- Creation of necessary situational awareness regarding threats to ICT infrastructure for determination and implementation of suitable response
- Creation of a conducive legal environment in support of safe and secure cyber space, adequate trust & confidence in electronic transactions, enhancement of law enforcement capabilities that can enable responsible action by stakeholders and effective prosecution.
- Protection of IT networks & gateways and critical communication & information infrastructure.
- Putting in place 24×7 mechanism for cyber security emergency response & resolution and crisis management through effective predictive, preventive, protective, response and recovery actions.
- Policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.
- Indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes.
- Creation of a culture of cyber security for responsible user behavior & actions.
- Effective cyber crime prevention & prosecution actions.
- Proactive preventive & reactive mitigation actions to reach out & neutralize the sources of trouble and support for creation of global security eco system, including public- private partnership arrangements, information sharing, bilateral & multi-lateral agreements with overseas CERTs, security agencies and security vendors etc.
- Protection of data while in process, handling, storage & transit and protection of sensitive personal information to create a necessary environment of trust.
4. Certain highlights & Suggestions
Certain important highlights of the Policy are below along with some suggestions:
- The Policy should consider the entire information life cycle (creation, processing, storing, transmitting/receiving and deleting of information) of the cyber information and accordingly design appropriate controls.
- Better coordination between the Private and the Public sectors for security alerts, overcoming issues of cyber crime, sharing of best practices and take cue from international practices as well.
- Scope of conducting periodic assessments to validate compliance of technology infrastructure and an assessment of compliance to physical security standards should be included.
- The Policy should also cover standards around physical security of technology and infrastructure, and hosting centers.
- The jurisdiction of worldwide net is ubiquitous with increasing usage of cloud computing given the economic benefits it offers, so jurisdiction issue should also be addressed emphatically capable of addressing the cyber security risks arising from use of cloud computing.
- The “role and responsibilities” of private persons and bodies have been mentioned but the same is unclear for government department and should be clearly spelt out. There is no mention of abuse/misuse of power from information gathered for national security purposes by government officials/agencies.
- The surveillance and cyber – intelligence outside the country must be positively controlled.
- The Policy should determine the role the government should play in the defence of critical Infrastructures, while safeguarding privacy and civil liberties.
- The Policy should talk about creating an information and threat-sharing plan with private industry.
- The government should support research and development of technologies to enhance security, provide the research community with event data to help them create tools and testing models for securing networks.
- The government should work towards domestic capacity building by training police, lawyers and judges on cyber crime. Also, citizen awareness about the importance of good cyber security should be highlighted.
- Like the insertion of sections 65-A and 65-B in the Copyright Act that deals with penal clause on any person who circumvents an effective technological measure with an intention of infringing rights and for protection of Rights Management Information, more stringent provisions should be inserted in other IPR legislations.
- Monitoring social networking websites are becoming crucial.
- There should be a provision for a web based central repository for all security related information to which member organizations can upload as well as download information.
- The policy should address privacy issues over use of shared/collected data.
- A sound legal framework and effective law enforcement procedures will become equally crucial in deterring cyber-crime. Though the recent amendments to the Indian IT Act along with the implementation of IT Rules provide for an excellent means to enable adequate trust and confidence in the online environment and enhance law enforcement capability to deal effectively with cyber crime, however, more steps are needed for a more conducive environment.
The Policy is a considerable initial step and the government should be commended for being attuned to the threats and challenges facing the management of cyberspace and taking steps to address them. It identifies indigenous development of IT products essential for curbing threats from imported hi-tech products which is a very crucial step and will benefit the domestic sector. Finally, the Policy must take into account the following considerations to devise a comprehensive policy: (a) detailed study of the existing and potential threat landscape; (b) the focus on critical infrastructure is inevitable; (c) software running critical services and infrastructure should be audited and should be capable of “designing in” requisite security; (d) open standards compliance should be a necessary component; (e) securing privacy and civil liberties; (f) creating an information and threat- sharing plan with private industry that protects trade secrets; and (g) continuous support to R&D.
Authored by: Neeraj Dubey