Two years after releasing the first draft, the union government has finally come up with a policy on cyber security, which envisages "secured and resilient cyber space" not just for the government but also for citizens and businesses.

The national cyber security policy (NCSP) 2013, which has been formulated by the computer emergency response team (CERT-In), the nodal agency on cyber security under the department of electronics and information technology (DeitY), got its final shape after considering over 500 public comments, which were sent in due course.

The key highlights of the policy include creation of an assurance framework for boosting the cyber security culture across sectors – the government and business. The framework provides for enabling action towards formulation and implementation of security policies, best practices and techniques and harnessing competence of human resource.

The policy provides for an incentive-based mechanism to ensure that organisations, public or private, strengthen their information infrastructure, comply with the prescribed security standards (ISO 27001) and appoint a chief information security officer (CISO) who is responsible for cyber security efforts and initiatives.

The policy also emphasises upon the development of suitable indigenous security technologies “to meet national security requirements”.

We have physical safety, environment laws, which provide for measures in case of violations. However, nothing of that could be found in the NCSP as it is not mandatory.”
Dinesh Pillai, CEO of Mahindra Special Services Group

It is all a pipe dream. It is not well anchored in reality. The policy fails to spell out things. How and when the policy is going to be operationalised is not clear. Which agency will be handling what is also not clear.”
Satish Chandra, former deputy national security advisor, who had worked on the first draft of the national information security policy 2004

Although cyber security has become an international security issue, the policy misses out on the cyber diplomacy front. It is an imperative that India should be part of decision-making in the area of cyber security at the global level.”
Dr Arvind Gupta, director-general, Institute for Defence Studies and Analyses

Most importantly, it seeks private participation in two key areas: setting up security infrastructure for testing and validation of products and creation of skilled human resource in the field of information security, audit, testing, among others. The NCSP provides for enabling a workforce of 5 lakh cyber security professionals.

It has made CERT-In an umbrella body for enabling creation of sectoral CERTs and facilitating coordination in times of crisis.

According to DeitY officials, since the policy has now been approved, the government will move towards setting up a national cyber coordination centre – a multi-agency body with representatives from the Intelligence Bureau (IB), Research & Analysis Wing (R&AW), National Technical Research Organisation (NTRO) and armed forces. The agency, which has been cursorily mentioned without any nomenclature in the policy document, will monitor the internet traffic, which would help in prior threat detection and mitigation.

Though there are apprehensions about the nature and level of monitoring, DeitY officials claim the centre would monitor the meta-data, the pattern and the nature of traffic. The centre will help generate situational awareness reports.

While the document talks about key aspects of securing cyber space, experts say the document is just a wish list since it lacks details and the operational strategy. The experts are also sceptical about the implementation part because there is no clarity on the division of work between the agencies — something which has been approved in the form of national cyber security architecture, but has not been made public.

“It is all a pipe dream. It is not well anchored in reality. The policy fails to spell out things. How and when the policy is going to be operationalised is not clear. Which agency will handle what is also not clear,” said Satish Chandra, former deputy national security advisor, who had worked on the first draft of the national information security policy-2004.

“The policy talks about providing incentives and having 5 lakh trained people. But it is not clear how,” he said.

Dinesh Pillai, CEO of the Mumbai-based Mahindra Special Services Group, said compliance, as prescribed in the policy, is not mandatory and so there are apprehensions about its enforcement. “We have physical safety, environment laws, which provide for measures in case of violations. But nothing of that could be found in NCSP, as it is not mandatory,” he said. Pillai noted that major organisations always follow ISO 27001 certification. However, the organisations are still being cyber-attacked frequently. The policy should have gone beyond the basic certification, he said.

While lauding the preamble of the policy as “comprehensive and well-conceived”, Dr Arvind Gupta, director-general, Institute for Defence Studies and Analyses (IDSA), said the policy misses out on a few fronts. He said the policy neither mentions about the cyber forensics framework nor does it underline strengthening of cyber encryption.

Besides, Gupta said, “although cyber security has become an international security issue, the policy misses out on the cyber diplomacy front. It is an imperative that India should be part of decision-making in the area of cyber security at the global level.”

Gupta and Chandra both believe that the government should make the cyber architecture public, as there is an absolute lack of clarity on the roles and responsibilities divided among the agencies. The two also agree that the government should have mentioned about indigenous development of chips and other electronic equipment, as it has mainly remained in rhetoric.

According to another cyber security expert with IDSA, Dr Cherian Samuel, many of the strategies contained within these larger objectives seem to be on the generic side. The architecture of regulatory and other organisations necessary to see this policy through is nowhere to be found, he said.

“It goes without saying that, without a detailed architecture with clearly defined roles and responsibilities for various superior and subordinate organisations, this policy stands very little chance of being successfully operationalised,” Samuel said.

Supporting DeitY on the policy, Dr Kamlesh Bajaj, CEO, Data Security Council of India, said that the purpose of any policy is not to detail out implementation but to lay down vision and strategies. He, however, added, “The government needs to come out with a detailed action plan for implementation in near future. (The government should) take into account the various initiatives already under way or being planned.”

On capacity building, he said there is a need to set up training institutes in the industry that design market-aligned cyber security courses and produce certified professionals.

Besides, there are also concerns related to privacy as the government will soon operationalise the cyber coordination centre, which would monitor internet traffic, and the central monitoring system (CMS) – which would monitor anything and everything traversing through communication wire.

The policy is also silent on the mechanisms to ensure that the agencies do not snoop without judicial orders, on individual communications.

pratap@governancenow.com