India’s tryst with a New National Cyber Security Policy: Here’s what we need

The onset of the pandemic last year resulted in heavier dependence on technology, coupled with a deeper adoption of interconnected devices and hybrid work environments.

cyber security
Many small businesses so far have been looking at cyber security solutions mostly as add-on costs less relevant to the business.

By Col. Sanjeev Relia (Retd.),

As a nation we continue to fight battles to safeguard our sovereignty, jurisdiction and privacy from intrusive and anonymous threats dominating in the arena of cyberspace.

The onset of the pandemic last year resulted in heavier dependence on technology, coupled with a deeper adoption of interconnected devices and hybrid work environments. This renders us more digitally vulnerable than ever before. Indian Government data recorded 1.16 million cyber security cases in 2020, a 3x spike from the previous year.

Similar to other countries, cyber-attacks in India jeopardize national security by accessing sensitive Government infrastructure. Last month, hackers pulled down the two-factor authentication system used by the Indian government to secure its email network – thrice, compromising the emails of many Government officials. Unfortunately, those behind the attack and the modus operandi is yet to be confirmed.

cyber security graph

We witness data breach incidents every month. The onset of 2021 witnessed some Government websites leaking COVID-19 lab test results of thousands of Indian citizens. A cyberattack on systems at an airline data service provider, in May ’21 resulted in the leaking of personal data of 4.5 million passengers of the airline. In the very same month, the Personally Identifiable Information and test results of 190,000 candidates for the 2020 Common Admission Test were leaked and put up for sale. In April ‘21 a million credit card records and details of 180 million pizza orders taken, including customers’ names, phone numbers, and email addresses were leaked. While these are some of the known cases the real number, mostly unreported, and may be very large.

What an organisation responsible for Cyber Security could be?

While threats emanating from cyberspace are well known, ironically at national level, we still do not have a strategy which lays out the guidelines on how to tackle them. There is no formal essential framework to protect critical information infrastructure and other national assets; one that lays down a response policy in the eventuality of either of the two being attacked by an adversary.

The National Cyber Security Policy (NCSP) released by the Government of India in 2013, had laid down several strategies to counter security threats from cyberspace. Whilst eight years have passed, limited implementation has taken place, and our country remains amongst the most targeted nations. The lack of a comprehensive cybersecurity strategy/policy is conspicuous and increasing vulnerability.

There seems to be a light at the end of the tunnel for India. Before we embark into 2022, India would have been presented with a National Policy on Cybersecurity by the Department of Electronics and Information Technology (DeitY).

The Government has already shared its vision to ensure safe, secure, resilient, vibrant, and trusted cyber space, through a new strategy that would serve as a guideline to manage data as a national resource, build indigenous capabilities and for cyber audits.

However, in matters of cybersecurity, India must strategize and put in place a collaborative approach to achieve stability and security. The 2021 revised Cybersecurity Policy should include addressing three crucial areas:

1. Legal Framework – While India does not have a dedicated cybersecurity law, the Information Technology (IT) Act, 2000 deals with cybersecurity and associated cybercrimes. Some cybersecurity-related provisions are included in the Indian Penal Code, 1860 (which punishes offences, including those committed in cyberspace), and in the Companies (Management and Administration) Rules 2014 framed under the Companies Act 2013. Additionally, sector-specific regulations issued by regulators such as the RBI, the IRDA Act 1999, the DOT and the SEBI call for cybersecurity standards to be maintained by their regulated entities – banks, insurance companies, telecom service providers and listed entities.

A lot, however, has changed in the way businesses operate and how crimes are initiated from cyberspace. Let us take an example – the rise of digital payments has significantly increased complex cybercrimes involving digital payment transactions. Lending companies offer instant frictionless payment experiences to their consumers – which in turn leaves banks and entities operating in the payment ecosystem with very less time to identify and respond to cyber threats. Therefore, the IT Act 2000, amended in 2008, likely needs to be updated, putting in place cybersecurity standards in line with the nature of information assets handled by specific types of entities.

2. Cyber Response Entity – Any organisation responsible for managing cyberspace at the national level should have a clear line of authority, so that all existing resources can be optimally utilized. Unfortunately, such a framework does not exist. There are multiple Government agencies in India which deal with various aspects of cyber security. Each of our defense services have their own cyber experts and even State Police have their cyber investigators. There is an urgent need to synergize the effort of experts, working under separate Government ministries and departments towards a common goal. The Government could put together an organization like a National Cyber Command.

3. Data Protection – Data is a national resource, and the maximum amount of data is exchanged using cyberspace. Most nations whose Governments and citizens rely on cyberspace for various routine functions have a data protection law. The European Union has GDPR, and the USA has the California Consumer Privacy Act. The Data Protection Bill was tabled in the Indian Parliament in 2019 and despite many Indians losing data on multiple occasions (well highlighted in the media), there has been no urgency to pass the bill.

No one can doubt the commitment of corporate India and the Government in renewing cybersecurity practices in India. India’s private sector will have to intensify its engagement with the Government considering the increased volume of digital financial transactions, and the current rate of cyber-attacks in the country.

The Government’s focused approach towards cybersecurity preparedness and awareness has the power to be the game changer!

(The author is an Indian Army Veteran having served in the Corps of Signals. He has authored a book titled, Cyber Warfare: Its Implications on National Security and is a certified Ethical Hacker. Currently he is the Senior Advisor and Head- Cyber security Practice at Alea Consulting. Views expressed here are personal and do not reflect the official position or policy of Financial Express Online.)

Get live Share Market updates and latest India News and business news on Financial Express. Download Financial Express App for latest business news.