The status of India’s National Cyber Security Strategy
- Amid a surge in cyberattacks on India’s networks, the Centre is yet to implement the National Cyber Security Strategy which has been in the works since 2020.
- Cyber Security is protecting cyberspace including critical information infrastructure from attack, damage, misuse and economic espionage.
- The National Security Council (NSC) of India is a three-tiered organization that oversees political, economic, energy and security issues of strategic concern.
Need for cybersecurity strategy
- Cyberwarfare offensives:
- US is just one of many countries that have invested significant amounts of money in developing not just defences against attack, but the ability to mount damaging cyber warfare offensives.
- The countries which are believed to have the most developed cyber warfare capabilities are the United States, China, Russia, Israel and the United Kingdom.
- Increased Digital usage Post-Covid:
- Critical infrastructure is getting digitised in a very fast way - this includes financial services, banks, power, manufacturing, nuclear power plants, etc.
- For Protecting Critical Sectors:
- It is significant given the increasing interconnectedness of sectors and proliferation of entry points into the internet, which could further grow with the adoption of 5G.
- As per Palo Alto Networks’ 2021 report, Maharashtra was the most targeted State in India — facing 42% of all ransomware attacks.
- Report stated that India is among the more economically profitable regions for hacker groups and hence these hackers ask Indian firms to pay a ransom, usually using cryptocurrencies, to regain access to the data.
- One in four Indian organisations suffered a ransomware attack in 2021. Indian organisations witnessed a 218% increase in ransomware.
- Higher than the global average of 21%.
- Software and services (26%), capital goods (14%) and the public sector (9%) were among the most targeted sectors.
- Increase in such attacks has brought to light the urgent need for strengthening India’s cybersecurity.
What is the National Cyber Security Strategy?
- Conceptualised by: Data Security Council of India (DSCI)
- It focuses on 21 areas to ensure a safe, secure, trusted, resilient, and vibrant cyberspace for India.
- Main sectors of focus:-
- Large scale digitisation of public services: There needs to be a focus on security in the early stages of design in all digitisation initiatives and for developing institutional capability for assessment, evaluation, certification, and rating of core devices.
- Supply chain security: There should be robust monitoring and mapping of the supply chain of the Integrated circuits (ICT) and electronics products. Product testing and certification need to be scaled up, and the country’s semiconductor design capabilities must be leveraged globally.
- Critical information infrastructure protection: The supervisory control and data acquisition (SCADA) security should be integrated with enterprise security. A repository of vulnerabilities should also be maintained.
- Digital payments: There should be mapping and modelling of devices and platforms deployed, transacting entities, payment flows, interfaces and data exchange as well as threat research and sharing of threat intelligence.
- State-level cyber security: State-level cybersecurity policies and guidelines for security architecture, operations, and governance need to be developed.
What steps does the report suggest?
To implement cybersecurity in the above-listed focus areas, the report lists the following recommendations:
- Budgetary provisions: A minimum allocation of 0.25% of the annual budget, which can be raised up to 1% has been recommended to be set aside for cyber security.
- Separate ministries and agencies should earmark 15-20% of the IT/technology expenditure for cybersecurity.
- Law enforcement and other agencies should partner with their counterparts abroad to seek information about service providers overseas.Setting up Fund of Funds for cybersecurity and providing Central funding to States to build capabilities in the same field.
- Research, innovation, skill-building and technology development: Invest in modernisation and digitisation of ICTs, setting up a short and long term agenda for cyber security via outcome-based programs and providing investments in deep-tech cyber security innovation.
- Law enforcement and other agencies should partner with their counterparts abroad to seek information about service providers overseas.National framework should be devised in collaboration with institutions like the National Skill Development Corporation (NSDC) and ISEA (Information Security Education and Awareness) to provide global professional certifications in security.
- Law enforcement and other agencies should partner with their counterparts abroad to seek information about service providers overseas.Create a ‘cyber security services’ with cadre chosen from the Indian Engineering Services.
- Crisis management: For adequate preparation to handle crisis, DSCI recommends holding cybersecurity drills that include real-life scenarios with their ramifications.
- Law enforcement and other agencies should partner with their counterparts abroad to seek information about service providers overseas.In critical sectors, simulation exercises for cross-border scenarios must be held on an inter-country basis.
- Cyber insurance: Report recommends developing cyber insurance products for critical information infrastructure and to quantify the risks involving them.
- Cyber diplomacy: It plays a huge role in shaping India’s global relations.
- Law enforcement and other agencies should partner with their counterparts abroad to seek information about service providers overseas.To further better diplomacy, the government should promote brand India as a responsible player in cyber security and also create ‘cyber envoys’ for the key countries/regions.
- Cybercrime investigation: Report recommends unburdening the judicial system by creating laws to resolve spamming and fake news.
- Law enforcement and other agencies should partner with their counterparts abroad to seek information about service providers overseas.It suggests charting a five-year roadmap factoring possible technology transformation, setting up exclusive courts to deal with cybercrimes and removing backlog of cybercrimes by increasing centres providing opinion related to digital evidence under section 79A of the IT act.
- Law enforcement and other agencies should partner with their counterparts abroad to seek information about service providers overseas.It suggests advanced forensic training for agencies to keep up in the age of AI/ML, blockchain, IoT, cloud, automation.
- Law enforcement and other agencies should partner with their counterparts abroad to seek information about service providers overseas.
Progress in its implementation
- In the recent Budget session, several MPs questioned Ministry of Electronics & Information Technology (MEiTy) on when the Centre plans to introduce the policy.
- Centre clarified that it has formulated a draft National Cyber Security Strategy 2021 which holistically looks at addressing the issues of security of national cyberspace.”
- It added that it had no plans as of yet to coordinate with other countries to develop a global legal framework on cyber terrorism.
Exam track
Prelims take away
- Cyber security
- National Cyber Security Strategy 2021
- Types of cyber attacks
- Data Security Council of India (DSCI)
Mains track
Q. Discuss various threats and challenges to cyber-security in India. What initiatives are being taken by the government to enhance cyber-security in India?