India might be the most sought after destination for IT and software services, but when it comes to cyber security or its professionals, it finds itself seriously short-changed. The new cyber security policy 2013, under discussion since 2011, mandates a chief information security officer (CISO) in every department to protect the system from cyber threats and attacks. It also mandates creation of 5,00,000 cyber security professionals in the next five years through skill development and training. Considering that China currently has 25 million cyber security professionals, and even North Korea, Singapore and Malaysia have more, this shouldn’t be a big task for India.

However as luck, and will of the Indian government, would have it the Indian cyber emergency response team (ICERT) responsible for implementing the policy does not even have a roadmap for the same.

One reason to believe that the cyber security capacity building programme in India has not even taken off is the way everyone in the government, particularly in ICERT, seem to be reacting to the question from this correspondent seeking information about the status of the project. In fact, Gulshan Rai, director general, ICERT, and the man at the helm of the affairs seemed clueless too when he said that he could not speak about capacity building on the telephone. The mail was unanswered when we went for publishing.

One more thing that no one in the department of electronics and information technology (DeitY) and ICERT seems to have any clue about is the profile of these 5,00,000 professionals the government wants to train and their skill sets. Akash Agarwal, country head, EC Council, aptly asked, “Does it (the policy to train 5,00,000 professional) mean training in the government sector or private sector? Has the word ‘professional’ been defined? How much training should a person undergo before he could be called a professional?”

Dinesh Pillai, CEO, Mahindra Special Services Group, also asked the same question. He said, “It is great that the government is thinking about training and there is a policy about it. However, the term ‘professional’ needs to be defined. Anyone with one certification today becomes a systems security guy. This should not be the case.”

According to sources in DeitY, around 40,000 people have been trained in cyber security till now. These sources also mentioned that the various universities, IITs, NITs and private universities have been roped in for providing courses in cyber and network security, information and forensics. However,  Governance Now could not find any substantial courses mentioned in the syllabi of these universities.

Apart from IIT Delhi, which has announced the opening of a ‘cyber security training centre’, no other IIT was found to be doing much in terms of training in the field. The opening of the training centre at IIT Delhi was announced in November 2013. It has not started functioning or offering courses as of now. However, IITs do offer short-term courses on network security both separately and as part of their bachelor of engineering (BE/BTech) programme.

This after a notification from UGC, that all UGC/AICTE affiliated colleges would have to offer courses on cyber security at the undergraduate and postgraduate level, in January 2013. However, a quick look at the notification and one can understand the reason for the lackadaisical approach – the notification neither mandates any date or timeline for the implementation nor does it provide a ‘how-to’ plan for the same.

AICTE, in all fairness, announced that as a national policy, if an institute applies for more than one new course or more than one increase in division for a PG course in Computer Science and IT, then it would have to add one of the following courses at the PG level as well: a) cyber security, b) information technology and cyber warfare, c) biometrics and cyber security, and d) cyber forensics and information security.  However, the same could not be found on the institutions’ syllabi.

Pillai said that it is not the institutes’ fault. Unless they get sufficient funding for infrastructure and gets an accreditation, it is difficult to offer courses on cyber security. “Investment for cyber security courses or training is not one time and the institutes need resources for that. Say, a course on security is offered as part of the engineering syllabus. The content would become obsolete when he graduates!” he said.

Pillai added that one more reason for the reluctance of institutes to offer these courses is the dearth of teachers. Apart from centre for development of advanced computing (C-DAC), which is training ‘master trainers’ for cyber security (more below), this area is mostly overlooked in India.

According to officials in DeitY, the training and skill development in cyber security will be done in the public-private partnership (PPP) mode. However, the private sector is not ready for such partnerships as there is hardly any infrastructure for high-end training. “There is no legislation on PPP and the private sector is not secured of cost-overflows in case the project overshoots its time. Unless these issues are sorted, PPP is difficult to take off,” said Pillai.
It is not all a big zero though. According to Prof S Sadagopan of IIT Bangalore, capacity building in cyber security and allied fields is an ongoing process and one in which India has made significant progress. He said that many institutes have been teaching technical aspects of security such as cryptography, network security, secure computing, trusted computing and secure programming for many years.

“India has excellent globally ranked conferences like Indo-CRYPT for many years. Over the next five years this area will mature, and strong research groups will form. The Indian Statistical Institute has one of the best research groups in this area,” said Sadagopan.

Another organisation that has been making small strides of its own with regards to safe practices online has been C-DAC which offers a diploma course in information security, certificate course in information security under its information security education and awareness (ISEA) project. C-DAC also offers six-week and two-week training programmes in information security sponsored by DeitY. C-DAC, along with other DeitY organisations such as DOEACC, ERNET, NIC, STQC, ICERT, also trains ‘master trainers’ who would in turn train government officers.

However, C-DAC has not been mandated under the new or old cyber security policy to train 5,00,000 professionals. According to Rajat Moona, director general, C-DAC, these programmes are running independently of the policy.

Moona also had no information of the 40,000 cyber security professionals claimed to have been trained by DeitY. This, he said, would be the general picture of people trained across skill sets across the country. “We are yet to receive a mandate of training people under the cyber security policy,” he said.
It is 2014 and the government still does not have a plan to train a team which would dedicatedly work on preventing attacks on the cyber infrastructure in India. According to Pillai, cyber security training needs trainers to think like a criminal. “Cyber security training is given from the perspective of policy abiders and those who attack are looking to break into the system. We need to think like them to protect our systems,” he said.