India Needs a Cyber Security Strategy: Cyber Patriots Task Force
One doesn’t need to reiterate about the gigantic presence of the cyber phenomenon in this networked world. But with these cyber inroads, the threats to cyber security have also grown multifold and as we digitise, this will inadvertently lead to further cyber-crimes and terrorism.
One doesn’t need to reiterate about the gigantic presence of the cyber phenomenon in this networked world. But with these cyber inroads, the threats to cyber security have also grown multifold and as we digitise, this will inadvertently lead to further cyber-crimes and terrorism. While we are definitely chest thumping and sloganeering to prove our patriotism in the physical world, how do we ensure cyber patriotism in the fast evolving digital world too? Moreover, with cyber terrorism and cyber threats becoming more and more real, are we equipped to handle crisis stemming from this cyber vulnerability and is there any level of preparedness that the state is working towards in the face of cyber threats?
There is a clear unanimity on the need for a definite framework, well-thought out cyber strategy including various components like technology, verticals, policy, human resources and for sensitising citizens about threats and responsibilities in the fast evolving cyber world.
India has digitised at a robust pace primarily during the last five years. “This development is also throwing up unprecedented challenges in the sense that while we have got rid of the manual systems, are we as secure in terms of cyber security as we should be in this technologically volatile environment,” asked Sameer Kochhar, Chairman, SKOCH Group, adding that like the rest of the world, Government of India too has little capacity to brace for cyber security as the large body of knowledge and best practices reside outside the government. This is the raison d’être for this initiative to conceptualise a cyber security framework and strategy for the nation.Discussing the importance and the need for such an effort, Anjali Kaushik, Professor at Management Development Institute, said that whether it is individuals, corporates or nations, everybody is increasingly being hit by cyber crimes.
Gulshan Rai, National Cyber Security Coordinator
“The cyber security issues are getting complicated due to leapfrogging of the technology. Whatever we have seen in the past decade or so, is going to be totally different than what we would witness in the next five years. We can’t imagine the changes.”
Discussing the importance and the need for such an effort, Anjali Kaushik, Professor at Management Development Institute, said that whether it is individuals, corporates or nations, everybody is increasingly being hit by cyber crimes.
“We have to look at operational technology solutions and not just IT. Training framework is required not only for IT but also how to apply technologies and leverage from them,” said R Priyamvada, IT Head, Engineers India Ltd. There are four views that emerge: policy, sectoral, technology and citizen view. A cyber security strategy and framework has to amalgamate the four while taking care of operational technologies.
According to Gulshan Rai, National Cyber Security Coordinator, the cyber security issues are getting complicated due to leapfrogging of the technology. “Whatever we have seen in the past decade or so, is going to be totally different than what we would witness in the next five years. We can’t imagine the changes,” he said.
Sameer Kochhar, Chairman, SKOCH Group
“Government of India too has little capacity to brace for cyber security as the large body of knowledge and best practices reside outside the government. This is the raison d’être for this initiative to conceptualise a cyber security framework and strategy for the nation.”
At present, India does not have a comprehensive cyber security framework. Although, the Government of India released a National Cyber Security Policy in 2013, it is far from being comprehensive and has not been implemented properly.
“On the other hand, due to increasing digitalisation across the country particularly with emergence of Smart City programmes coupled with Artificial Intelligence, unless we strike a balance, we cannot possibly think of any further digitalisation without chalking out a cyber security framework,” Kaushik said.
Bringing in a much larger picture, Jaspreet Singh, Partner-Cyber Security, Africa, India & Middle East, Ernst & Young said, “It was only seven years ago that the United Nations decided to include cyber warfare as another dimension in addition to the traditional air, water and land warfare. When we include cyber warfare, we are obviously talking about the global scenario.”
In India, the digital literacy rate is close to 35 per cent and it is time to ask if this chunk of population knows the cyber do’s and don’ts. The country needs to have a nationwide fundamental policy, which the citizens can be answerable to, Singh said.
It is true even for corporates, whether small or large. “There are cloud solutions available for as low as R250 per month. The subscribers look at the cost and ignore security aspects. This increases their vulnerability without they being aware of it,” cautioned Avneesh Vats, Deputy General Manager-IT, Energy Efficiency Services Ltd.
“Let me take security as a first measure, which is why traditionally we have had armed forces for external security, financial institutions for economic security and then institutions to protect the intellectual property of nations and innovators. It is meant to not just protect the IP but also generate economic value for the nation. When we move to the digital economy, the same holds true for this as well and we need to protect the economic value of the digital ecosystem,” added Sivarama Krishnan, Leader – Cyber Security, PwC.
We need to protect data and also utilise it to create value for the nation. One more question that arises is how I create knowledge and awareness for this nation to ensure the economic well being of its citizens. So, if we think from this perspective, we definitely need security not just for government data but also about how to create value in this new digital ecosystem, Krishnan further said.
Our Constitution is what defines us and once again, while we are discussing the digital revolution, should we have a digital interpretation of the Constitution as well? Also digitalisation is very open to centralisation and makes policy capture easier, making it much more vulnerable. So, how important is a cyber security strategy to protect the constitutional values and freedom guaranteed by the Constitution?
“We need to see and define the total threat. If we are not able to look at the larger perspective, the strategy that we suggest will fall short of being comprehensive. Cyber security needs to be seen in the context of national security and not piecemeal,” added Bhushan Mohan, former Principal Consultant, NeGD, MeitY.
Akhilesh Tuteja, Global Co-Leader – Cyber Security, KPMG, said that such a strategy is important to protect the singularity of interest and to create a code that allows not just the individual freedom but freedom of choices, which is not mollycoddled by one party alone.
Talking about the reach of technological monopolisation by a handful of tech giants globally, Tuteja said that most people are not really worried about the possibilities that technology domination can create for a nation state. The power of contamination technology has, is like that of smoking. It is not just the individual who smokes but its surroundings too that has the threat of being contaminated. Likewise the same network can contaminate much more than we fathom.
The private sector is much better equipped and has resources than the public sector and it is important that government and private sector work hand-in-hand in the process of cyber security issues, said Shefali Dash, former Director General, National Informatics Centre. Globally, governments have taken cognisance of public-private partnership (PPP) and have worked together to draft cyber security frameworks with a wider and collaborative vision. However, the story in India has been different. “Our National Cyber Security Policy exists. It was published in 2013 and is available on the Ministry of Electronics & Information Technology (MeitY) website. It was a 20-pager that has reduced to a single page document. However, the private sector is yet to adopt it. Government and private sector will have to work in unison in this scenario to bring about this change,” Gautam Kapoor, Partner, Deloitte India, said while drawing comparisons with the US and UK where the governments are actively inviting private sector for the cyber security understanding.
However, another interesting aspect of this is how important is a framework in the vendor transition plan and also, should there be an exit clause in case of tender with the list of do’s and don’ts for the private firms to ensure data security? Should the framework thread together the important aspects namely cyber security, data protection and handing over to ensure that data is not misused and is protected from unauthorised usage?
“As a practitioner, I would like to emphasise on the fact that we are still learning. Honestly, we don’t understand our data and businesses well. The entire ecosystem needs to be understood before we start working on it,” emphasised Golok Kumar Simli, Principal Consultant & Chief Technology Officer – Passport Seva, Ministry of External Affairs. Incidentally, the Passport Seva does have a 100-page document on cyber security that the system adheres to.
Having a cyber security policy shrunk to a just a few pages speaks volumes about where we stand in terms of our understanding and preparedness for cyber security. It is quite ironic indeed. “Cyber space essentially means global reach. The question today is of national security and we are struggling with basics. On behalf of the private sector, I can comfortably say that there is a lot we are missing on, in terms of hygiene. We need something we can refer to; a mandate through the regulators to make sure that every organisation by and large follows these practices,” Mannan Godil, CISO-Information Security Group, Edelweiss Rural & Corporate Services Limited, said while emphasising on the importance for a country the size of India to have a bluebook on cyber security.
Unarguably, the financial systems are one of the most vulnerable systems to cyber crimes. Giving a perspective about this vulnerability, Nafees Ahmed, CIO, Indiabulls Group, remarked, “Cyber threats, over the last two years, have become the biggest threat for the businesses, since the systems are open now and everyone is using the cyber space and is connected to our system. We are facing millions of attacks from around the world and we are constantly working to evade these attacks. Given the present scenario, a bullet-proof cyber security framework for the country and for the businesses is a must.”
There are myriad borderless incidences of cyber attacks from almost everywhere on end-users to companies to government organisations. S S Sarma, Director, CERT-In MeitY, said, “Incidences of cyber attacks on end-users, government stakeholders, industries etc are reported almost on a daily basis. There is a lot of asymmetry in response to these attacks as not all are well-evolved, the ability to respond does not cut across all sectors.”
Crime prevention and law enforcement are two facets of cyber security and we need both documentation and capacity building for the enforcement as well as prevention. Brijesh Singh, Inspector General of Police-Cyber, Maharashtra, said that law enforcement is in a unique space in terms of cyber crimes and it is important to understand that cyber security is not a technology problem, while we continue to look at it from the tech eyes. We need to change this perspective. He further said giving insights into the magnitude of cyber threats, “If we start registering all the cyber cases, we will have some thousand cases every day.”
Countries like India are facing increasing threat of cyber attacks. The attacks, not just on individual’s privacy and businesses, but also on national security. “We have to look at couple of more issues that change the technologies like drones, cameras etc and how are these going to impact the national security, industrial establishments as well as the security of individuals. Privacy is a big element and has to be adopted in the cyber security policy,” said N Vijayaditya, former Director General, NIC.
While security and privacy are important elements, one should not lose sight of human resources. “The cyber security requirements are different for each sector like transport, power, banking and finance etc. We need to understand the nuances of each business and have to highlight this aspect,” concluded Murlalikrishna Kumar, Senior Consultant, Niti Aayog.
The Cyber Patriots Task Force first deliberation had a consensus that the country needs a cyber security framework, which should have inputs from various quarters to have an adequate policy. While the rest of the world is actively working towards it, our bluebook seems to be biting dust with reduced and redundant skeleton. Also, while the government is taking its own time to come up with any willingness for such an initiative, as cyber patriots, the Task Force should evolve a framework and put it across as an interim document. While such documentation is an important first step, its sensitisation and implementation is equally important and for such policy to be successful, it needs to be dynamic and adaptive, which has to be in-built into the framework.
Inclusion is the first magazine dedicated to exploring issues at the intersection of development agendas and digital, financial and social inclusion. The magazine makes complex policy analyses accessible for a diverse audience of policymakers, administrators, civil society and academicians. Grassroots-focused, outcome-oriented analysis is the cornerstone of the work done at Inclusion.