India to take first steps toward creating a cyber command, with both defensive and offensive capabilities; revised draft of cyber security policy and cyber security architecture ready
A revised draft of cyber security policy and cyber security architecture will be presented to the cabinet for its approval in next two months, according to highly placed sources in the Indian computer emergency response team (CERT-IN), a body functional under the department of electronic and information technology (DEITY).
Under this new institutional arrangement, the government plans to recruit 6,000 cyber professionals who will be placed with different agencies involved in securing cyber space. Ministry of home affairs, the national security council secretariat (NSCS) and CERT-IN are a few such agencies to be provided with cyber experts. The paucity of skilled human resource in the cyber security domain was recently highlighted by IT secretary J Satyanarayana when he said the country needs more than 5 lakh professionals for securing the cyber space.
It is important to note that the likes of union home ministry, made “responsible for securing the information flowing in government networks”, and NSCS, a body headed by the national security advisor (NSA), didn’t have the required technical expertise in cyber domain. CERT-IN and national informatics centre (NIC), which has been implementing government IT projects since 1975 when it was established, are the only agencies handling cyber security threats so far.
National technical research organisation (NTRO) handles security of critical information infrastructures like power grids, nuclear plants and oil refineries.
The first draft on cyber security policy, put on the communications ministry’s website a year ago, was criticised by many experts for lacking a holistic and nuanced approach toward securing national economy and national security from the perspective of cyber space. Sources said the draft has been revised drastically and is at present in circulation in line departments.
Similarly, a draft cyber security architecture has also been prepared. It will clearly define the roles and responsibilities of various stakeholder agencies involved.
The revised policy and architecture propose to create a national cyber security coordinator (NCSC), a position directly under the NSA, for coordinating cyber security across all agencies: NTRO, national critical information and infrastructure protection centre (NCIIPC), CERT-IN and the ministry of defence (MoD). According to sources, Gulshan Rai, the present chief of CERT-IN, is expected to fill in that gap.
The sources said institutional measures will provide “adequate defence” to the information and critical infrastructure security. It would lead the country toward ‘defence of depth’ strategy by adopting a layered security approach against cyber threats, which are consistently changing in nature and scope. All this will be done in collaboration with the private sector, as evident in a report recently launched by a joint working group committee headed by the deputy NSA on cyber security.
The defence information assurance and research agency (DIARA) is already looking after cyber security of defence forces and agencies, which do not come under the jurisdiction of CERT-IN and NTRO, which are civilian agencies. DIARA works in close coordination with CERT teams of the three armed forces: the army, navy and air force.
The government is also in the process of setting up a national cyber coordination centre, which will primarily gather intelligence on cyber threats across the public and private sector and disseminate that information to the respective agencies, it is learnt. The key job of this centre, according to sources, will be to monitor “traffic data”, and “not content”, flowing through the networks of various internet service providers (ISPs) and other private agencies.
Officials said the government has earmarked Rs 500 crore to set up the centre. The proposed centre will be housed on the DEITY premises and will have a facility wherein personnel from all stakeholder agencies can sit together and monitor cyber traffic following their own area of interest.
Welcoming the government’s move, cyber security experts have called it the first step toward prioritising cyber security. This marks a shift in the Indian strategy from being ‘cyber defensive’ to ‘cyber offensive’, the experts said.