While the Centre is yet to release the National Cybersecurity Policy 2020, it has started efforts to plug cybersecurity gaps. As per The Indian Express, state- and central-government employees will be trained on cybersecurity/cyberhygiene best practices over the next two-three years. Broadcast Engineering Consultants India Limited (BECIL), a PSU, has been tasked with selecting agencies for this. Given how the scope for government handling of citizens’ data in the digital format has greatly expanded in recent years, training government official on cybersecurity is a necessity.
The plan to train employees on which emails to open and what attachments to access is essential, but there is also a need to upgrade infrastructure and reporting mechanisms. India was one of the first countries to have a national cybersecurity policy, but the policy focussed on the private sector’s cybersecurity readiness while there was little oversight on the government’s readiness. An article in this paper by Kanishk Gaur highlights the flaws in the existing system; CERT-In requires all government organisations to carry out regular vulnerability and penetration testing once a year, but the contracts are awarded on a lowest-bid basis. Most auditors, Gaur says, thus end up using open-source software, which detect little in terms of vulnerabilities. Besides, Budget data shows that the FY21 allocation for cybersecurity was a mere Rs 170 crore. In contrast, the UK had allocated `18,050 crore for five years starting 2016. Also, India needs to coordinate with the countries like the UK or Singapore, via agreements like the one it recently signed with Japan and others. There are 36 different cyber response team for central ministries, and each state has its own CERT team. As this newspaper has said before, an umbrella organisation is needed.