After two years of releasing the first draft, the union government has eventually come up with a policy on cyber security, which envisages “secured and resilient cyber space” not just for the government but also for citizens and businesses.
The national cyber security policy (NCSP) 2013, which has been formulated by the computer emergency response team (CERT-In), the nodal agency on cyber security under the department of electronics and information technology (DeitY), got its final shape after considering over 500 public comments, which were sent in the due course.
The key highlights of the policy include creation of an assurance framework for boosting cyber security culture across sectors – government and business. The framework provides for enabling action towards formulation and implementation of security policies, best practices and techniques and harnessing competence of human resource.
The policy provides for an incentive-based mechanism to ensure that organisations, public or private, strengthen their information infrastructure, comply with the prescribed security standards (ISO 27,001) and appoint a chief information security officer (CISO) —responsible for cyber security efforts and initiatives.
The policy also emphasises upon the development of suitable indigenous security technologies “to meet national security requirements”.
Most importantly, it seeks private participation in two key areas: setting up security infrastructure for testing and validation of products and creation of skilled human resource in the field of information security, audit, testing, among others. NCSP provides for enabling a workforce of five lakh cyber security professionals.
It has made CERT-In an umbrella body for enabling creation of sectoral CERTs and facilitating coordination in times of crisis.
According to DeitY officials, now since the policy has been approved, the government will move towards setting up of a national cyber coordination centre — a multi-agency body having representatives from IB, RAW, NTRO and armed forces. The agency, which has been cursorily mentioned without any nomenclature in the policy document, will monitor the internet traffic, which would help in prior threat detection and mitigation. Though there are apprehensions about the nature and level of monitoring, DeitY officials claim that the centre would be monitoring the meta-data, the pattern and the nature of traffic. The centre will help generate situational awareness reports.
While the document talks about almost all key aspects of securing cyber space, experts say the document is just a wish list as it lacks details and the operational strategy. The experts are also sceptical about the implementation part because there is no clarity on the division of work between the agencies — something which has been approved in the form of national cyber security architecture, but has not been made public.
“It is all pipedream. It is not well anchored in reality. The policy fails to spell out things. How and when the policy is going to be operationalised is not clear. Which agency will be handling what is also not clear,” said Satish Chandra, former deputy NSA, who had worked on the first draft of the national information security policy 2004.
“The policy talks about providing incentives and having five lakh trained people. But it is not clear how,” he said.
Dinesh Pillai, CEO of Mumbai-based Mahindra Special Services Group, said that the compliance, as prescribed in the policy, is not mandatory and so there are apprehensions about its enforcement. “We have physical safety, environment laws, which provide for measures in case of violations. However, nothing of that could be found in the NCSP as it is not mandatory,” he said.
Pillai noted that major organisations always follow ISO 27001 certification. However, the organisations are still being cyber attacked frequently. The policy should have gone beyond the basic certification, he said.
Dr Charian Samuel, IDSA, is of the view that many of the strategies contained within these larger objectives seem to be on the generic side. The architecture of regulatory and other organisations necessary to see this policy through is nowhere to be found, he said.
“It goes without saying that, without a detailed architecture with clearly defined roles and responsibilities for various superior and subordinate organisations, this policy stands very little chance of being successfully operationalised,” he said.
Supporting DeitY on the policy, Dr Kamlesh Bajaj, CEO, Data Security Council of India, said that the purpose of any policy is not to detail out implementation but to lay down vision and strategies. He, however, said, “In the near future, the government needs to come out with a detailed action plan for implementation, taking into account the various initiatives already underway or being planned.”
On capacity building, he said that there is a need to set up training institutes in the industry that design market aligned cyber security courses and produce certified professionals.
