As cyber threats grow in sophistication and magnitude, formulating robust cyber policies has become imperative to safeguard national interests, protect critical infrastructure, and foster secure digital ecosystem and the most important defence.
India is an intriguing case study among the nations navigating this complex cyberspace paradigm, reflecting a unique and evolving approach to cyber policy formulation.
Action over theory
According to an expert, the move by the way of Cyber Policy is now the alarm for examining India’s pragmatic approach for confronting cyber challenges, showcasing how policy frameworks have been adapted and refined to address emerging threats dynamically. “While initially drawing from international best practices and frameworks, India quickly realized the necessity of customizing cyber policies to suit its unique context. This adaptability marked the commencement of a pragmatic journey, where India embraced an action-oriented approach over a purely theoretical one,” Dr (Prof) Nishakant Ojha, Advisor Cyber & Aerospace Securities,
Expert View
Dr (Prof) Ojha, says, “By examining the evolution of India’s cyber policy, it can be visualised through the sheds light on critical milestones, such as establishing dedicated bodies like the National Cyber Security Policy, the Indian Computer Emergency Response Team (CERT-In), and the National Critical Information Infrastructure Protection Centre (NCIIPC). These institutional developments exemplify India’s commitment to enhancing its cyber resilience and responding effectively to cyber incidents, furthermore the Recent approach of India’s proactive initiatives on international collaboration, information sharing, and capacity-building to combat cyber threats on a global scale. Such efforts demonstrate India’s growing influence in the international cyber landscape, positioning the nation as a responsible stakeholder in shaping cyber norms and standards.”
By critically examining India’s journey, “we should be realistic in accepting the facts that still there is a long way to go with understanding the real objectives , aims which will help to extract valuable lessons and insights that may inform the cyber policy decisions of other nations facing similar challenges in this ever-evolving digital age,” opines Ojha. According to him, India being a developing country & rapidly growing economy, it is time to focus on action-driven policies in India’s cyber journey so that it can inspire other nations seeking to fortify their cyber defenses and effectively navigate the dynamic cyberspace landscape.
Background
India’s National Cyber Security Policy was established in 2013 to create a secure and resilient cyberspace. The policy promotes smooth economic transactions in cyberspace and contributes to attaining broader strategic objectives, such as fostering a ‘free and open Indo-Pacific’ region. Sharing his views with Financial Express Online, Ojha says, “The Indo-Pacific region is experiencing a rise in malicious cyber activities, leading to the emergence of new and evolving security architecture. The Tokyo Summit of the Quadrilateral Security Dialogue (Quad) on May 24 acknowledged the significance of cyber-security in the Indo-Pacific region. It emphasized the necessity for a collaborative strategy to prioritize cyber capacity development among member states.”
In his opinion the National Security Council Secretariat (NSCS) has developed a draft National Cyber Security Strategy to address the country’s cyberspace security comprehensively. “India’s adversaries have increasingly launched cyber-attacks due to changing geopolitical dynamics in South Asia and the Indo-Pacific region. India has experienced attacks on its power systems, telecom equipment ecosystems, Defence infrastructure and financial systems by both state and non-state actors,” he says. Adding, “ There are increasing concerns regarding the dual threat posed by China, North Korea and Pakistan, as these countries are suspected of engaging in cyber activities that can potentially disrupt and harm India’s critical information infrastructure assets. China has taken control of India’s electricity network after the Galwan incident and has tried to infiltrate the highest security organization. These endeavours have substantially affected India’s perception of national security.”
In his opinion the threat landscape refers to the current risks and vulnerabilities within a particular system or environment. The proliferation of digitization and advanced technologies has inadvertently expanded the possible entry points and the extent of cyber-attack vulnerabilities and that’s the reason which is putting a major thrust for changing the Cyber Policy of India.
According to Ojha, in November 2021, suspected Iranian hackers launched ransomware attacks on networks in the United States and Australia. The Indo-Pacific region is experiencing a rise in malicious cyber activities. As a result, a new and evolving security architecture is emerging in the region. Disrupting critical infrastructure can occur either to cause disruption or for financial gain. In April 2021, the United States experienced a cyber-attack that compromised multiple federal agencies. The attack exploited vulnerabilities in Pulse Connect Secure virtual private networking (VPN) software. The Indo-Pacific region is also experiencing increased cyber threat actors engaged in cyberespionage or seeking financial gain.
Cyber Security & G20
“The cyber-security policy of India and its connection with the Quad and subsequent G-20 meetings India’s cyber-security policy aligns with the objectives of the Quad and G-20 by aiming to establish a secure and resilient cyberspace. This involves the creation of a cyberforce comprising skilled professionals who can effectively prevent and respond to cyberattacks while mitigating the potential damages caused by different cyber threats. The policy emphasizes a collaborative approach involving public and private organizations, individuals, and technology,” he shares.
India’s cyber-security policy, in his opinion emphasizes frontier technologies and research aimed at finding solutions but the real question is how far we have reached and what we have achieved which could be tangibilize and audited . The attacks are increasing thrust-fold on the soil of India every day , the attacks don’t need to be spoken, they are silent attacks also.
During the Fourth Annual US-India 2+2 Ministerial Dialogue in April 2022, both countries acknowledged the significance of open, secure, interoperable, and stable cyberspace. They also expressed their commitment to collaborate closely in addressing the criminal use of information and communication technology (ICT) and the increasing cyber-security threats posed by state and non-state actors.
India’s cyber policy aims to create a safe online environment by strengthening the country’s rules and regulations. The framework recommends that every company have a CISO (Chief Information Security Officer). The CISO’s responsibilities include ensuring that firms have sufficient funds to address cybersecurity threats. A policy directive calls for a National Critical Information Infrastructure Protection Centre (NCIIPC), its mission is to monitor the protection, growth, and efficient use of the nation’s information resources and to respond to and manage emergencies involving the country’s essential information infrastructure. Based on the information available in the public domain, according to the policy, the efficacy of the information security framework about the regulatory framework must be regularly audited and evaluated. The Quad Cybersecurity Partnership is not a legal framework but a cooperative effort to improve cyber cooperation and support in the Indo-Pacific region.
Indian Computer Emergency Response Team (CERT-In)
“The Indian Computer Emergency Response Team (CERT-In) and its arm’s length CERT-Fin is supposed to regularly issue alerts and advisories to address current cyber threats and vulnerabilities and provide countermeasures for protecting computers and networks.
The Policy if it is not able to convert into rules & guidelines , the purpose will never be solved.Source of the information & data needs to be vetted only then it can work effectively under the Cyber Security Policy of India.So the Question how the Data Breach information is Sourced or Collected,” explains Ojha.
Also similar in the fight against cybercrime, the Indian Cyber Crime Coordination Centre (I4C), was created and which operates under the Ministry of Home Affairs (MHA), is the central coordination point. They work to combat cybercrime effectively.
According to him, advanced technologies, digital solutions, increased availability of ICT services, and the growth of financial technology drive the expansion of Indian cyberspace. Adding, “Initially, there is a need to enhance legal and regulatory frameworks. Legislative efforts should be made to enhance the IT Act, reinforcing its current provisions and bolstering individual security measures. Additionally, it is recommended that the concerned agency undergo regular network cyber audits conducted by various governmental agencies. Implementing a national Cyber Security Policy enables effective management and implementation of steps to enhance cyber security.”
“As India implements data localization measures to enhance data security, conducting a comprehensive evaluation of data storage and management practices is crucial. Clear delineation of access control is necessary for data stored in cloud servers and physical premises. An enhanced data management policy is essential for ensuring data security, regardless of its storage location,” he observes.
In nutshell there is a need for in-depth analysis of India’s approach to cybersecurity over the years. Time has come for the evolution of the advanced nation’s cyber policy, emphasizing its transition from theoretical frameworks to concrete actions and implementation.
Nevertheless, “it has identified the specific challenges India must continue to address. The dynamic nature of cyber threats demands continuous adaptation and innovation in policy frameworks and harmonizing laws and regulations to tackle transnational cybercrime effectively and Policy makers should not forgot some of the key emerging areas like involvement of Quantum, Neural Network Architectures, Computational Requirements in the present days of Cyber World,” Dr (Prof) Ojha concludes.