The national security council secretariat (NSCS) is working on a national cyber security strategy and will be finalising it in a few months.  The strategy will lay down clear defence mechanism against cyber threats and action points for the stakeholder agencies.  

The same was disclosed by Nehchal Sandhu, deputy national security adviser who was speaking at India Knowledge Summit co-organised by industry body ASSOCHAM and ministries of communications, human resource development and science and technology on Tuesday.

The government was also deliberating over a new amendment, focused on cyber security, to the IT Act, he said, while refusing to give details. The government will notify critical information infrastructure (CII) – under nine sectors including defence, finance, aviation, power, nuclear facilities, public services and law enforcement agencies – and a national critical information infrastructure protection centre (NCIIPC), which will be put under the supervision of a ministry.

The act, passed in 2000, initially catered to security issues related to e-commerce. The amendment introduced in 2008 and the subsequent rules in 2011 added provisions for interception of electronic communications and regulation of content over the internet respectively. The proposed amendment is expected to embolden government efforts to ensure a safe and secure cyberspace.

Elaborating on the cyber strategy, Sandhu said India has opted for a “layered approach” for cyber security. The first layer would comprise of 24/7 threat detection. The detection will be majorly limited to monitoring of traffic and not content, as the legislative regime doesn’t allow the same.

“This will have participation from all quarters including bank, finance, insurance, power and air traffic, among others,” he said, adding that this will help in timely alerting the respective agencies in case of an attack.

The second layer comprises of a central CERT (computer emergency response team) and sectoral CERTs, which will do the threat mitigation and follow up, he said.

Then there will be a layer of information sharing and analysis centres, which will leverage expertise from across sectors, he said. Testing of equipments is yet another important layer.

Now there will be an increased focus on certification of products in accordance to international regimes. Of late, the number of empanelled audit agencies with DEITY has gone up to 40. These agencies can do the network testing of equipment and and check their compliance with standards.

Besides, the government will also have a multi-agency audit team, he said. The government will also appoint chief information security officers in all its departments.

Elaborating on the growing sophistication in the nature of cyber threat, he said that the days of distributed denial of service (DDOS) – which leads to a crash down of websites caused by the diversion of unprecedented internet traffic to the site – is over. “There is a distinct mutation in the nature of threat. Now we have slim malware, which is highly unlikely to get detected, but has very high impact,” he said.   

Speaking about the challenges, he said that attribution is a big challenge in cyber space. The attackers, he said, employ sophisticated means of obscuring the point of origin and hence it becomes virtually impossible to trace the perpetrators.

The industry, however, doesn’t have the understanding of the damage cyber threat could cause in terms of commercial earnings, reputation and business process continuity, he lamented.

He also sought participation of the industry in cyber security, stating that there is a huge opportunity (for businesses) in setting up laboratories, which would handle large volume and deliver on-time. Without testing, it will not be possible to secure the supply chain management, he said.

Besides the industry could also invest in R&D in the cyber security space, he said. There is a considerable demand for robust cyber security systems.

Research proposals related to core security of hardware and software can be submitted to the office of the principal scientific advisor (PSA) to the prime minister.  The office of the PSA is in-charge of the R&D in the cyber security domain.