Protecting the virtual cobweb

Kapil Sibal, minister of communications &

information technology, launched the National Cyber Security Policy 2013 (NCSP) on July 2 in Delhi. The vision of NCSP is to build a secure and resilient cyberspace for citizens, businesses and government. It seeks to protect information and information infrastructure in cyberspace and also capabilities to prevent and respond to cyber terror threats, reduce vulnerabilities and minimise damage from cyber incidents through a combination of institutional structures, people, process, technology and cooperation.

NCSP aims to create a secure cyber ecosystem in the country and strengthen the regulatory framework for ensuring the same and enhance and create national and sectoral level 24×7 mechanisms for obtaining strategic information regarding threats to ICT infrastructure. It further aims to enhance the protection and resilience of India’s information infrastructure by operating 24×7 National Critical Information Infrastructure Protection Centre. The objective is to create a workforce of 5 lakh professionals skilled in cyber security in the next 5 years and also seeks to enable effective management of prevention, investigation and prosecution of cyber crimes and enhancement of law-enforcement capabilities through appropriate legislative intervention. One of the most significant features of NCSP is that it visualises a culture of cyber security and privacy, enabling responsible user behaviour and actions through effective communications.

NCSP is a good step in the right direction and the government needs to implement its vision and thought process. This is the first time that an attempt has been made by the government to state its policy on cyber security and to provide guidance to all relevant stakeholders in the cyber security ecosystem regarding the directions that India needs to take as it moves forward. It also opens up the doors for creating far more awareness about cyber security and aims to put in place various strategies to achieve various objectives of the policy.

However, the policy has come in late. India has already seen various attacks on its critical information infrastructure and on various governmental websites and networks by outside elements. The 26/11 Mumbai attacks were the perfect wake-up call for the government to realise that technology can be misused to impact the sovereignty, integrity and security of India, and India’s friendly relations with other nations. There are various instances where government networks were breached and important information was downloaded outside the territorial boundaries of India, which demonstrates the inadequacy of the existing legal regime to deal with such a scenario. The Bangalore cyber terror attacks showed how mass terror and hysteria could be generated without shooting a single bullet. It also demonstrated how breach of cyber security could not only impact critical information infrastructure of the country but also the population of the country or large sections thereof and also their mindsets.

India should have had its cyber security policy immediately after the 26/11 attacks. A perusal of the policy shows that NCSP is just a collation of various policy statements. There is no accompanying National Cyber Security Action Plan in the policy. Having stated high goals as an initial statement is good but more significant is the need for coming up with specific action plans as to how NCSP 2013 can appropriately and specifically achieve its objective and goals in a time-bound and realistic manner.

While the policy contains lofty ideals, the reality is that it does not yet give any specific details or instructions of what relevant stakeholders in the mobile and the digital ecosystem have to do in the event an Estonia-like cyber attack of 2007 is targeted at India. This assumes all the more significance since India is reportedly the third-most infected nation in the world as far as Stuxnet virus is concerned.

NCSP 2013 has been drafted in very vague and broad terms and does not contain parameters of its effective implementation. Further, it is silent as to how the government would seek to balance between protecting cyber security interests on the one hand and preservation of privacy and civil liberties of the individuals on the other.

Variety of other steps are needed to be taken by the government so as to achieve the various ideals and objectives as detailed in NCSP 2013. As the government would move forward to come up with its appropriate guidelines and action plan under NCSP 2013, it will be imperative for the government to come up with a blended approach of balancing the interests of cyber security and the protection and preservation of rights and liberty of people.

The policy is just one of the many steps that the government needs to take in order to protect and preserve India?s cyber security and sovereign interests in cyberspace. Given the dynamic nature of the challenges involved in cyber security and given the increasingly sophisticated use of technology by cyber criminals to breach cyber security, cyber security protection and preservation as a management function requires constant updating.

It has to be understood that cyber security is not a governmental subject. All stakeholders have to contribute to the protection and preservation of cyberspace as a phenomenon. Each one of us has to contribute in this regard so as to make cyberspace as also the use of computers, computer systems, computer networks, computer resources and communication devices as also data and information in the electronic form more secure. Internet is a heritage of mankind and all steps need to be taken so as to protect and preserve it from potential defacement or any act that aims to diminish the value or utility of information resident thereon. All of us have to contribute in creating a culture of cyber security in India.

The author, a leading cyberlaw expert, is president, cyberlaws.net, and head, Pavan Duggal Associates. pavan@pavanduggal.net