Cyber security policy: The missing 'H'

Experts find more whats than hows in the policy; call it more of a wish list

pratap

Pratap Vikram Singh | July 15, 2013



Two years after releasing the first draft, the union government has finally come up with a policy on cyber security, which envisages "secured and resilient cyber space" not just for the government but also for citizens and businesses.

The national cyber security policy (NCSP) 2013, which has been formulated by the computer emergency response team (CERT-In), the nodal agency on cyber security under the department of electronics and information technology (DeitY), got its final shape after considering over 500 public comments, which were sent in due course.

The key highlights of the policy include creation of an assurance framework for boosting the cyber security culture across sectors – the government and business. The framework provides for enabling action towards formulation and implementation of security policies, best practices and techniques and harnessing competence of human resource.

The policy provides for an incentive-based mechanism to ensure that organisations, public or private, strengthen their information infrastructure, comply with the prescribed security standards (ISO 27001) and appoint a chief information security officer (CISO) who is responsible for cyber security efforts and initiatives.

The policy also emphasises upon the development of suitable indigenous security technologies “to meet national security requirements”.

We have physical safety, environment laws, which provide for measures in case of violations. However, nothing of that could be found in the NCSP as it is not mandatory.”
Dinesh Pillai, CEO of Mahindra Special Services Group

 

It is all a pipe dream. It is not well anchored in reality. The policy fails to spell out things. How and when the policy is going to be operationalised is not clear. Which agency will be handling what is also not clear.”
Satish Chandra, former deputy national security advisor, who had worked on the first draft of the national information security policy 2004

 

Although cyber security has become an international security issue, the policy misses out on the cyber diplomacy front. It is an imperative that India should be part of decision-making in the area of cyber security at the global level.”
Dr Arvind Gupta, director-general, Institute for Defence Studies and Analyses

 

Most importantly, it seeks private participation in two key areas: setting up security infrastructure for testing and validation of products and creation of skilled human resource in the field of information security, audit, testing, among others. The NCSP provides for enabling a workforce of 5 lakh cyber security professionals.

It has made CERT-In an umbrella body for enabling creation of sectoral CERTs and facilitating coordination in times of crisis.

According to DeitY officials, since the policy has now been approved, the government will move towards setting up a national cyber coordination centre – a multi-agency body with representatives from the Intelligence Bureau (IB), Research & Analysis Wing (R&AW), National Technical Research Organisation (NTRO) and armed forces. The agency, which has been cursorily mentioned without any nomenclature in the policy document, will monitor the internet traffic, which would help in prior threat detection and mitigation.

Though there are apprehensions about the nature and level of monitoring, DeitY officials claim the centre would monitor the meta-data, the pattern and the nature of traffic. The centre will help generate situational awareness reports.

While the document talks about key aspects of securing cyber space, experts say the document is just a wish list since it lacks details and the operational strategy. The experts are also sceptical about the implementation part because there is no clarity on the division of work between the agencies — something which has been approved in the form of national cyber security architecture, but has not been made public.

“It is all a pipe dream. It is not well anchored in reality. The policy fails to spell out things. How and when the policy is going to be operationalised is not clear. Which agency will handle what is also not clear,” said Satish Chandra, former deputy national security advisor, who had worked on the first draft of the national information security policy-2004.

“The policy talks about providing incentives and having 5 lakh trained people. But it is not clear how,” he said.

Dinesh Pillai, CEO of the Mumbai-based Mahindra Special Services Group, said compliance, as prescribed in the policy, is not mandatory and so there are apprehensions about its enforcement. “We have physical safety, environment laws, which provide for measures in case of violations. But nothing of that could be found in NCSP, as it is not mandatory,” he said. Pillai noted that major organisations always follow ISO 27001 certification. However, the organisations are still being cyber-attacked frequently. The policy should have gone beyond the basic certification, he said.

While lauding the preamble of the policy as “comprehensive and well-conceived”, Dr Arvind Gupta, director-general, Institute for Defence Studies and Analyses (IDSA), said the policy misses out on a few fronts. He said the policy neither mentions about the cyber forensics framework nor does it underline strengthening of cyber encryption.

Besides, Gupta said, “although cyber security has become an international security issue, the policy misses out on the cyber diplomacy front. It is an imperative that India should be part of decision-making in the area of cyber security at the global level.”

Gupta and Chandra both believe that the government should make the cyber architecture public, as there is an absolute lack of clarity on the roles and responsibilities divided among the agencies. The two also agree that the government should have mentioned about indigenous development of chips and other electronic equipment, as it has mainly remained in rhetoric.

According to another cyber security expert with IDSA, Dr Cherian Samuel, many of the strategies contained within these larger objectives seem to be on the generic side. The architecture of regulatory and other organisations necessary to see this policy through is nowhere to be found, he said.

“It goes without saying that, without a detailed architecture with clearly defined roles and responsibilities for various superior and subordinate organisations, this policy stands very little chance of being successfully operationalised,” Samuel said.

Supporting DeitY on the policy, Dr Kamlesh Bajaj, CEO, Data Security Council of India, said that the purpose of any policy is not to detail out implementation but to lay down vision and strategies. He, however, added, “The government needs to come out with a detailed action plan for implementation in near future. (The government should) take into account the various initiatives already under way or being planned.”

On capacity building, he said there is a need to set up training institutes in the industry that design market-aligned cyber security courses and produce certified professionals.

Besides, there are also concerns related to privacy as the government will soon operationalise the cyber coordination centre, which would monitor internet traffic, and the central monitoring system (CMS) – which would monitor anything and everything traversing through communication wire.

The policy is also silent on the mechanisms to ensure that the agencies do not snoop without judicial orders, on individual communications.

pratap@governancenow.com

Comments

 

Other News

How three organisations came together to serve 9,000 cancer patients annually

There were many preventable cancer deaths in 2020 due to lack of medical care and access as the Covid-19 pandemic has shifted the entire attention from these chronic ailments to itself. A patient named Javed Khan, struggling with cancer and on chemotherapy, contracted Covid and he could not get underlying

Why Ayurveda needs a new apex body

Ayurveda: The True Way to Restore Your Health and Happiness By Dr. G. G. Gangadharan Ebury/Penguin, 224 pages, Rs 299 Dr G.G. Gangadharan, a champion of Ayurveda for three and a half decades, has penned an introductory book on India’s ancient

‘Extend Mumbai Model post-pandemic to improve civic services’

The ‘Mumbai Model’, which helped the city beat Covid-19, came in for praise from the supreme court too. The BMC can now extend that model of decentralisation for more efficiency in day-to-day citizen services and to make Mumbai a better-managed and future-ready city, says the Praja Foundation.

“No ratings certainly better than bad ratings”

Though there is no weekly viewership data for individual news channels coming since mid-October 2020, after allegations of manipulation of television rating points (TRPs) by three news channels, percentage of viewers watching news across the world doubled during lockdown. According to Avinash Pandey, CEO,

Delhi plans implement ‘Mumbai Model’ soon

A team of the Delhi government’s health department has visited Mumbai to learn from the city’s officials how to battle Covid-19 more efficiently, following the supreme court’s advice last month that the capital should learn from the ‘Mumbai model’ that has successfully control

Why India’s ranking on Happiness Index has been falling

The World Happiness Report, one of the best tools for evaluating global happiness, is based on how ecstatic people perceive themselves to be. It considers six characteristics to rank countries on overall happiness: GDP per capita, social support, life expectancy, freedom to make choices, generosity, and pe

Visionary Talk with Avinash Pandey, CEO ABP News Network on News Broadcast - Issues & Its Future



Archives

Current Issue

Opinion

Facebook    Twitter    Google Plus    Linkedin    Subscribe Newsletter

Twitter