A comprehensive cybersecurity strategy is needed to foster and sustain trust in the digital ecosystem
With the vision of a trillion-dollar digital component, accounting for one-fifth of the $5-trillion national economy, the importance of cyberspace in India would only keep growing as Indians have taken to mobile broadband like fish to water, driven by affordable tariffs, low-cost smartphones and a spurt in availability of audio-visual content in Indian languages.
However, all is not well with the cyberspace. Cybersecurity incidents observed by the Indian Computer Emergency Response Team (CERT-In) went up almost four times from 2017 to 2018, while cybercrimes went up by 77% from 2016 to 2017. Unsurprisingly, India’s global rank on the cybersecurity index slipped to 47 in 2018 from 23 in 2017, according to the UN agency ITU (International Telecommunication Union).
Cybersecurity threats may manifest within a technical context like an unpatched software vulnerability, a malicious software or link, but mostly emanate from fear, carelessness, greed or sheer carelessness—the basic human vulnerabilities. This would only get further amplified with the onset of 5G, artificial intelligence, augmented reality, robotics, quantum computing and the Internet of Things.
Criminals can defraud unsuspecting users in sharing their bank or credit card account details with the PIN and passwords, intimidate and bully others, indulge in cyberstalking or, for that matter, could be involved in cyberespionage, terror financing or child pornography. Operations of critical infrastructure such as power grid or ports can come to a halt with ransomware, and fake news can flare up social tensions.
Criminals are quick to latch on to the trends like Covid-19. More than 4,000 fraudulent portals emerged within two months, and on a typical day in April 2020, Google alone blocked 240 million spam messages and 18 million phishing scams. Similar sounding UPI (Unified Payments Interface) IDs had popped up soon after the Prime Minister had announced the PM CARES Fund.
There is a need to secure, strengthen and synergise the policy toolkit in this realm. Besides the Information Technology Act, 2000, and the upcoming data privacy law, the government has begun discussions on the National Cyber Security Strategy (NCSS) 2020. So, what should be the contours of the NCSS?
Tech is global, policy is local
It is a set of common and interoperable set of standards that make the ‘packets’ of data traverse the global cyberspace crisscrossing continents, oceans and even the space, but a government’s writ runs basically on its jurisdiction. India is a member of the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG), both under the aegis of the UN. However, since a global consensus is unlikely any day soon, India should consider joining or leveraging existing frameworks like the Convention on Cybercrime and the Paris Call. After all, cybersecurity has become a geopolitical issue, as reiterated time and again by the Prime Minister.
Security by design, budgeting by default
It is high time that 10% of every IT budget in the government be earmarked for cybersecurity, as recommended by the NASSCOM Cyber Security Task Force, just like 1-3% of every ministry’s budget was set aside for IT in 1998, as recommended by the Prime Minister’s IT Task Force in 1998.
Security vs privacy: A false binary
Rather than being contrary to each other, security and privacy actually reinforce each other. After all, there cannot be any data privacy without data security. Hence, the NCSS and the data protection framework must be consistent with each other. Exceptions and exemptions must be narrowly crafted, in compliance with the principles of lawfulness, fairness, transparency and proportionality laid down by the Supreme Court in its 2017 privacy judgment.
Prevention is better than cure
We all are practising thorough handwash, social distancing and masks to mitigate coronavirus infections. Likewise, nine out of 10 data breaches can be mitigated if we all take care of basic cybersecurity like using licensed and updated software, using different and difficult passwords for different services and devices, multi-factor authentication and strong encryption. We need innovative solutions to scale up awareness as our user base is expected to reach a billion over the next five years, compared to half a billion currently.
The government should share its own assessment back with the private sector to create incentive for the latter to proactively share their intelligence on threat vectors without jeopardising contractual obligations or intellectual property. After all, most of the design, development and deployment of technology is in the private sector.
Pragmatic, predictable, flexible
Underlying principles must go along with the strategic objectives and provide sufficient guidance and flexibility to sector regulators within their respective ecosystem. For example, the cybersecurity guidelines or frameworks issued by RBI, SEBI, IRDAI and PFRDAI can be greatly synergised under the aegis of the Financial Stability and Development Council (FSDC), thereby bringing greater sanity for the regulators as well as the regulated entities.
In addition, every regulation must emerge through public consultation and be backed up with a regulatory impact assessment, whether it is about cross-border data flows or restricting encryption.
Amongst top 10 by 2025?
Just like India has been significantly improving its rank on the World Bank’s Ease of Doing Business Index year on year, isn’t it high time that India ranked amongst the top 10 within the Global Cybersecurity Index?
The author is a public policy consultant Twitter: @dmcorpaffair