Experts sceptical about the cyber security policy

Policy is being seen a “wish list”, “not obligatory” by the experts


Pratap Vikram Singh | July 4, 2013

After two years of releasing the first draft, the union government has eventually come up with a policy on cyber security, which envisages “secured and resilient cyber space” not just for the government but also for citizens and businesses.  

The national cyber security policy (NCSP) 2013, which has been formulated by the computer emergency response team (CERT-In), the nodal agency on cyber security under the  department of electronics and information technology (DeitY), got its final shape after considering over 500 public comments, which were sent in the due course.

The key highlights of the policy include creation of an assurance framework for boosting cyber security culture across sectors – government and business. The framework provides for enabling action towards formulation and implementation of security policies, best practices and techniques and harnessing competence of human resource.

The policy provides for an incentive-based mechanism to ensure that organisations, public or private, strengthen their information infrastructure, comply with the prescribed security standards (ISO 27,001) and appoint a chief information security officer (CISO) —responsible for cyber security efforts and initiatives.

The policy also emphasises upon the development of suitable indigenous security technologies “to meet national security requirements”.

Most importantly, it seeks private participation in two key areas: setting up security infrastructure for testing and validation of products and creation of skilled human resource in the field of information security, audit, testing, among others. NCSP provides for enabling a workforce of five lakh cyber security professionals.  

It has made CERT-In an umbrella body for enabling creation of sectoral CERTs and facilitating coordination in times of crisis.

According to DeitY officials, now since the policy has been approved, the government will move towards setting up of a national cyber coordination centre — a multi-agency body having representatives from IB, RAW, NTRO and armed forces. The agency, which has been cursorily mentioned without any nomenclature in the policy document, will monitor the internet traffic, which would help in prior threat detection and mitigation. Though there are apprehensions about the nature and level of monitoring, DeitY officials claim that the centre would be monitoring the meta-data, the pattern and the nature of traffic. The centre will help generate situational awareness reports.

While the document talks about almost all key aspects of securing cyber space, experts say the document is just a wish list as it lacks details and the operational strategy. The experts are also sceptical about the implementation part because there is no clarity on the division of work between the agencies — something which has been approved in the form of national cyber security architecture, but has not been made public.   

“It is all pipedream. It is not well anchored in reality. The policy fails to spell out things. How and when the policy is going to be operationalised is not clear. Which agency will be handling what is also not clear,” said Satish Chandra, former deputy NSA, who had worked on the first draft of the national information security policy 2004.

“The policy talks about providing incentives and having five lakh trained people. But it is not clear how,” he said.

Dinesh Pillai, CEO of Mumbai-based Mahindra Special Services Group, said that the compliance, as prescribed in the policy, is not mandatory and so there are apprehensions about its enforcement. “We have physical safety, environment laws, which provide for measures in case of violations. However, nothing of that could be found in the NCSP as it is not mandatory,” he said.

Pillai noted that major organisations always follow ISO 27001 certification. However, the organisations are still being cyber attacked frequently. The policy should have gone beyond the basic certification, he said.

Dr Charian Samuel, IDSA, is of the view that many of the strategies contained within these larger objectives seem to be on the generic side. The architecture of regulatory and other organisations necessary to see this policy through is nowhere to be found, he said.

“It goes without saying that, without a detailed architecture with clearly defined roles and responsibilities for various superior and subordinate organisations, this policy stands very little chance of being successfully operationalised,” he said.   

Supporting DeitY on the policy, Dr Kamlesh Bajaj, CEO, Data Security Council of India, said that the purpose of any policy is not to detail out implementation but to lay down vision and strategies. He, however, said, “In the near future, the government needs to come out with a detailed action plan for implementation, taking into account the various initiatives already underway or being planned.”

On capacity building, he said that there is a need to set up training institutes in the industry that design market aligned cyber security courses and produce certified professionals.





Other News

How three organisations came together to serve 9,000 cancer patients annually

There were many preventable cancer deaths in 2020 due to lack of medical care and access as the Covid-19 pandemic has shifted the entire attention from these chronic ailments to itself. A patient named Javed Khan, struggling with cancer and on chemotherapy, contracted Covid and he could not get underlying

Why Ayurveda needs a new apex body

Ayurveda: The True Way to Restore Your Health and Happiness By Dr. G. G. Gangadharan Ebury/Penguin, 224 pages, Rs 299 Dr G.G. Gangadharan, a champion of Ayurveda for three and a half decades, has penned an introductory book on India’s ancient

‘Extend Mumbai Model post-pandemic to improve civic services’

The ‘Mumbai Model’, which helped the city beat Covid-19, came in for praise from the supreme court too. The BMC can now extend that model of decentralisation for more efficiency in day-to-day citizen services and to make Mumbai a better-managed and future-ready city, says the Praja Foundation.

“No ratings certainly better than bad ratings”

Though there is no weekly viewership data for individual news channels coming since mid-October 2020, after allegations of manipulation of television rating points (TRPs) by three news channels, percentage of viewers watching news across the world doubled during lockdown. According to Avinash Pandey, CEO,

Delhi plans implement ‘Mumbai Model’ soon

A team of the Delhi government’s health department has visited Mumbai to learn from the city’s officials how to battle Covid-19 more efficiently, following the supreme court’s advice last month that the capital should learn from the ‘Mumbai model’ that has successfully control

Why India’s ranking on Happiness Index has been falling

The World Happiness Report, one of the best tools for evaluating global happiness, is based on how ecstatic people perceive themselves to be. It considers six characteristics to rank countries on overall happiness: GDP per capita, social support, life expectancy, freedom to make choices, generosity, and pe

Visionary Talk with Avinash Pandey, CEO ABP News Network on News Broadcast - Issues & Its Future


Current Issue


Facebook    Twitter    Google Plus    Linkedin    Subscribe Newsletter