While the Stuxnet attack by the US, affecting nuclear reactors in Iran, spelled out the necessity of cyber defence systems, most countries have since followed a need-based approach to cybersecurity.
Given how the government appeared to be lacking a clear response on the cybersecurity breach at the Kudankulam Nuclear Power Plant, a central data security agency is an idea whose time has come. In 2017, when NITI Aayog’s cybersecurity report was published, there were 36 bodies under different Union ministries, including the Computer Emergency Response Team India (Cert-IN). Each of these bodies has its own reporting structure and response protocol on managing cybersecurity. Now, each of the states has its own Cert, as had been recommended by NITI Aayog, and more cybersecurity cells have been added by central ministries. While the security infrastructure and reach seems to have become robust, a lack of coordination—the Kundankulam episode is proof of this—has left the system performing sub-par. The government, as per a report in Hindustan Times, is planning an umbrella organisation for all cybersecurity concerns, emulating the system in place in the UK, the US, and Singapore. To be sure, the government had already created the office of the National Cyber Security Coordinator. But, a central hub for coordination can perhaps ensure more effective action. For instance, in the case of an attack, the central command can immediately be alerted, and then other government agencies can ramp up defences to protect from a further breach. Had the Kudankulam attackers wanted, the breach could have easily crawled from the nuclear power plant to other utilities, shutting down the whole system.
While the Stuxnet attack by the US, affecting nuclear reactors in Iran, spelled out the necessity of cyber defence systems, most countries have since followed a need-based approach to cybersecurity. The Kundankulam attack exposes India’s vulnerability. Although the National Cybersecurity Policy 2020—the last one was seven years ago—does address such issues, with more countries and terrorist groups developing cyber warfare tools, there is a need to be more proactive. Suggestions like the inclusion of cybersecurity course in schools and colleges do sound good, but none of them make sense if the government is not able to attract and retain top talent. More important, without cyber-awareness none of the government’s initiatives can function correctly. In the absence of a national framework, cyber-awareness has been left to Cert, but the agency’s record in pushing awareness has been dismal. In the case of the WhatsApp breach, Cert did inform about software upgrade; it is only when the issue came to light that people paid heed to their circular and advisory. Cert virtually has no presence on social media—and on the platforms it has an account, it activity has little to do with spreading awareness—on Facebook, it last updated its account in July, that too for the promoting a government programme. With the country looking at more connected infrastructure, courtesy the fourth industrial revolution and widespread use of the internet, cybersecurity needs can’t be ignored, especially when more government services come to rely on the internet.