CYBER threats such as identity and IP theft, banking frauds and attacks on critical infrastructure make daily news. Such attacks can compromise the security and economies of entire nations. No country is immune to cyber attacks. Attack tools such as bots and key loggers must be identified, tracked and neutralized even as more of them spring up – that is the nature of cyber threats. The threat landscape is ever-changing with new vulnerabilities, attack vectors, platforms, apps and increased bandwidth. Any response to this requires alertness and agility.

Given this scenario, is India prepared to defend itself in cyberspace? Is the government information infrastructure well protected? As Internet penetration appears to gain priority over security, these issues become increasingly important. The Government of India delivers multiple services over the mobile platform as part of its JAM plan (Jan Dhan, Aadhaar, and Mobile). Digital Locker is yet another scheme for storage of documents in electronic form for ease of doing transactions with government agencies.

Some of the questions that need to be addressed to understand the status of cyber security in India are the following:

1. Do we have the capacity and capability to identify attacks on our governance, economic, corporate, and military institutions?

2. What institutions have we built for cyber security, and how effective are they in securing the nation?

3. What is the capability of our law enforcement agencies (LEAs), cyber forensics infrastructure and human resources in analyzing and handling evidence?

4. How effective is our legal regime?

5. Given that the role of private sector is crucial to cyber security, how does the government work with the private sector to create public-private partnership (PPP) programmes? Is the relationship trustworthy?

6. Do we have a long-term R&D plan for cyber security that identifies our specific requirements? Is the private sector involved in it?

7. Is a cyber security industry being built in India?

8. Do the new security entities established by the government have a cyber mindset? Do they involve the industry, academia and thought leaders in making of cyber policies?

9. Do we have fulfilling international alliances and partnerships for information sharing to defend against threats and attacks?

10. Does our diplomacy have the required capacity and capability to influence international cyber affairs in accordance with our interests?

 

Where are we today? The Information Technology Act (IT Act) was enacted in 2000 to make electronic records and digital signatures at par with paper based documents in order to promote e-commerce and e-governance. The act also provided for criminal offences for violation and misuse of its provisions. It was amended in 2008 to mandate use of ‘reasonable security’ by corporate entities, though government departments were exempted. At the same time, more cyber crimes were added, as were rules on data privacy. The Indian Computer Emergency Team (CERT-In) was also notified as the national nodal agency for incident response (including ‘forecast and alerts of cyber security incidents’).

The government, however, took six years to name an agency – National Critical Information Infrastructure Protection Centre (NCIIPC) for the purpose of critical infrastructure protection (CIP). CERT-In was created in 2003 – though it was formally notified only in 2014 – to create awareness about cyber security among the government agencies through advisories and training programmes. In fact, the very first batches of trainees included those from the armed forces. Sectoral CERTs in the army, navy and air force also got nucleated through these interactions. But much of CERT-In’s energies were frittered away in blocking of websites under Section 69A – a task unrelated to its core functions – for nearly 12 years.

 

The techno-legal framework for Public Key Infrastructure (PKI) was established through the Controller of Certifying Agencies (CCA). The industry also contributed through a dedicated organization – the Data Security Council of India (DSCI). Joint programmes of CERT-In and DSCI have created awareness about security best practices and the IT Act throughout the country over the last eight years. The DSCI has also set up six cyber forensics labs and conducted training programmes for law enforcement agencies (LEAs).

Recognizing the need for a cyber security workforce, the government launched the Information Security Education Awareness (ISEA) Programme in premier universities over a decade ago. Skill development in security under the aegis of the National Skill Development Corporation (NSDC) through NASSCOM and DSCI, has also contributed to the skilled workforce.

The RBI has mandated independent audits and board level awareness for banks. It has introduced two factor authentication practices even before the United States had done so. Banks were the first to recognize the benefit of information sharing on threats and vulnerabilities for enhancing collective security. As a result, the Information Sharing and Analysis Centre (ISAC) was established in 2014 at the Institute for Development Research in Banking Technology (IDRBT). The DSCI report ‘Securing our Cyber Frontiers’ and the IDSA report on cyber security in 2012, led to the creation of a Joint Working Group (JWG) for public private partnership (PPP), under the chairmanship of the Deputy National Security Advisor in 2013, to enhance cyber security in India. These are positive steps.

Industry, on its part, continues to innovate in cyberspace. Examples include RuPay, an indigenous card, and secure wallets such as Paytm and the unified payment interface (UPI). All these steps have drawn more people into the digital space. This has given a fillip to e-commerce, and e-delivery of government services. The Indian IT industry is providing security services to global clients, and has the potential to emerge as a global hub of cyber security services. A number of startups have created world class security products, some of which have been acquired by global giants. But is this enough? Are we sufficiently agile as a nation to respond to incidents, especially for CIP? Is the government infrastructure secure?

 

What is missing? The National IT Policy 2011 stated that its mission is ‘to ensure a secure cyber space...’ with strategies like ‘indigenous development of suitable security techniques and technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes.’ However, there was little action on the ground. This was followed by the National Cyber Security Policy 2013, which had laudable objectives, and strategies including financial incentives for secure practices implementation, higher budget for security etc. Again, there was no follow-up by the government.

Even though it was announced with much fanfare that India had become a certifying nation under Common Criteria (CC) Labs Programme in 2013, no CC lab has so far been nucleated under this scheme in the country, though it is critical for national security. Similarly, the testing of telecom products in the country as per additional 3G and 4G criteria need to be articulated by the Department of Telecommunication (DOT). But with several deadlines missed by the DOT, this remains a work in progress. The loss is ours as a nation – both in supply chain security and opportunity for becoming a hub for CC testing for global clients.

The enforcement of the IT Act is crucial for cyber security, but it has been tardy. Several rules and policies that need to be made under the act are missing even after eight years. For example, even something as basic as an encryption policy (u/s 84A) does not yet exist. The act empowers an agency to monitor and collect information and traffic data through any computer resource for cyber security u/s 69B. But the notification empowering CERT-In with that authority came only in April 2016.

 

While CERT-In has contributed to awareness creation and training, its role has not expanded to that of a National Threat Intelligence Centre with a countrywide, sector-wise picture of threats, along with knowledge about adversaries. It has no mechanism of monitoring vulnerabilities and attack vectors even in government networks. It has no visibility into private networks, and is heavily dependent on the information provided by, among others, Symantec, Microsoft, Verizon and Cisco, when they choose to do so. The National Cyber Coordination Centre (NCCC), which the government has been speaking of for nearly three years now, too is non-existent. India also needs to build bridges with LEA counterparts in other countries for sharing of cyber forensic evidence, and give shape to a clear and coherent mutual legal assistance treaty framework to facilitate faster exchange of forensic evidence.

In the area of cyber forensics, the government labs in Hyderabad, Pune, Bhopal, Lucknow and Ahmedabad are woefully short of expert manpower, with hardly any computer graduates working there. DSCI had proposed a Cyber Crime Investigation Programme (CCIP) to the Ministry of Home Affairs in 2013, and expand its existing network to cover all the states, but there has been no response from the government. Even existing labs are being closed by DSCI because industry has no funds to support indefinite training. Therefore, a critical resource for capacity building will be lost, instead of being upgraded.

 

In the US, all cyber attacks, irrespective of the target, are reported. No such reporting takes place in India. Even when reported by global security companies, we routinely deny them. Oblique admission comes only from statements that no vital losses occurred. Government departments in the US undergo independent audits of their security posture, and the reports are made public. The US Cyber Security Framework for CIP, developed between 2013 and 2015, was built on the experience of security issues over the previous decade, with active involvement of the industry, academia, and government. Though not mandatory, it encourages industry to use it with any of the existing best practices frameworks and standards.

The private sector plays a big role in American cyber security. For example, Defense Secretary Carter in February 2016 announced the setting up of a Defense Innovation Advisory Board made up exclusively of twelve industry experts, to track innovative ideas in the commercial world which could be of interest to the US military. In February 2016, President Obama set up a Commission on Enhancing National Cybersecurity, to make recommendations ‘for enhancing cyber-security awareness and protections... to protect privacy, ensure public safety and economic and national security, and to empower Americans to take better control of their digital security.’ The commission is expected to submit its report in December 2016. Note that this commission has been set up even as the Comprehensive National Cybersecurity Initiative (CNCI), initiated by President Bush and continued by Obama, is already in operation. This commission too is comprised of industry leaders.

Reports of think tanks and universities feed into the government policy making mechanism. For example, the American encryption policy was influenced by two reports, one from MIT and another from the Berkman Center at Harvard. Further, US-CERT under the Department of Homeland Security that came up after 9/11, has deep linkages with the industry and academia, with sustained coordination with other agencies.

 

Will the Indian government ever mandate the security assessments of its ministries and departments by independent auditors under the CAG or CVC? Give them ratings and make them public? Given the current state of governance, this appears highly unlikely. The private sector too is not particularly different except where regulation is strong like in the banking sector, or where clients demand it such as in the IT/BPO sector, or where long-term credibility, like in e-commerce, is critical for survival. Critical infrastructures like powergrid, oil and gas sector, transport sector, air traffic control, railway signalling and others have varied degrees of commitment towards cyber security.

Surprisingly, in the last eight years, the government has declared only two networks – TETRA and Aadhaar – as critical information infrastructure under Section 70. While NCIIPC has been created, its impact on security is yet to be felt, largely because it follows a top-down approach that is more fixated on issuance of circulars. Moreover, instead of being an independent entity under the MHA, it has been put under the National Technology Research Organization (NTRO), an intelligence agency, whose core functions are obviously different. It is thus not surprising that the guidelines issued by NTRO in 2013 were a poor rehash of better global practices.

Private sector involvement in policy making is minimal. Encryption policy making did see some industry participation, but the process took over 2-3 years. Even then, the exact contents of the policy were unclear before it was suddenly announced. When it came under attack by civil society and industry alike, it was withdrawn as suddenly. A cloud security policy has been in the making for several years. Contentious issues like data localisation, and national security have to be confronted head on, and policies announced.

 

The Government of India also plays safe by nominating industry associations on policy advisory committees. For example, the act, in section 88, says that the Central Regulations Advisory Committee shall consist of ‘non-official members representing the interests principally affected or having special knowledge of the subject matter…’, but the notification includes representatives of industry associations such as NASSCOM, CII, FICCI, ISPAI, and ASSOCHAM, not experts with subject matter knowledge. Industry associations find mention in rule six of CERT-In rules as well, that too by rotation each year.

 

So what should we do? Information sharing across the government and industry has to become the norm in India. The telecom sector which views security as part of its licence terms, has to become increasingly proactive. A security lifecycle includes defence, detect, and response measures. Containing the damage and investigating the cause of attacks is critical to prevent future events. However, are we building our organizations keeping these issues in mind? The threat landscape is rapidly changing, with nation states starting to use cyber attacks as a way of targeting their adversaries. For example, the stuxnet attack to damage the nuclear reactors in Iran was the act of a nation state. Snowden’s revelations of the US NSA global surveillance, were also a wake-up call for enhancing security of our infrastructures.

In July 2012, it was reported that the Eastern Naval Command’s internal network was compromised in a major cyber attack, which resulted in highly sensitive data about the Indian Navy being leaked to the Chinese. Although several other armed forces breaches have been reported over the last few years, the official statements always clarify that no secret data was lost. This is true in the civilian space as well. GhostNet, a series of attacks discovered in 2009 by the University of Toronto Munk Centre, and attributed to China, targeted the PMO and our embassies. Many other successful cyber attacks against Indian targets are unearthed by major global cyber security companies – our own cyber intelligence to anticipate these attacks is not yet visible. India needs to accept that we’ve been compromised, analyse the attacks, and consequentially improve our cyber defences.

While India is an acknowledged leader in providing ICT services, its investments in R&D in ICT in general, and cyber security in particular, are insignificant by global standards. There are no Indian IT or cyber security products of significance in the marketplace. Our large manpower base works on cutting edge security products for foreign companies, allowing them to own the intellectual property. We are also a massive market for social media companies and chat platforms. As a result, both personal and corporate data resides on servers located outside India. There are additional challenges such as internet governance, which is totally under the control of the US government, notwithstanding the Internet Assigned Numbers Authority Transition. This is so because the Internet Corporation for Assigned Names and Numbers continues to be a US based company subject to US laws.

 

It is in the interest of our national security that India develop a holistic plan that promotes R&D in basic ICT technology, application platforms, technology solutions and services to emerges as an innovative country that captures markets elsewhere. Startups for security engineering are the need of the day, but there is no clear policy for inducting their products and solutions in defence and national security, forcing them to assign their intellectual properties to global leaders.

For enhancing cyber security and national security, there should be a focus on critical infrastructure protection, cyber threat intelligence and warfare, security workforce, cyber crime management, and above all research on cyber policies. The government has to unleash the potential of the private sector by treating it as its strategic partner. In line with PM Modi’s vision, the potential to build a security resource pool and industrial capability for global play has to be realized. The promise of Digital India can be delivered only if we take cyber security in our own hands.

A new mindset in bureaucratic, political and societal cultures is critical to face cyber threats. We need to abandon the feudal and colonial governance approach that relies on secrecy and strict hierarchical control. A mind-set for information age governance calls for information sharing, openness, and transparency, along with innovation and agility, that relies both on technology and people, along with processes and SoPs. Cyber security cannot be dealt through regulation alone. A move towards government-industry cooperation/partnership needs to be made. One solution would be to allow for a freer movement of people between government and the private sector.

Finally, it is worth noting that NASSCOM set up the Cyber Security Task Force (CSTF) in mid-2015, at the behest of PM Modi, to make recommendations for India to emerge as a supplier of cyber security products and services to the world. CSTF has engaged in deep consultations with the industry, government and academia to focus on technology, skills and education, industry, startups, R&D to arrive at policy recommendations for making this happen. The key, however, lies in our making them work.

India has all the entities required for cyber security: CERT-In, NCIIPC, Cyberlabs, ISEA programme for education in universities, skill development under NSDC and NASSCOM/DSCI, intelligence and monitoring of networks for national security, a vibrant IT/BPO industry, JWG for PPP, and startups – now even a national cyber coordinator! But presently they do not work in a coordinated manner to secure India’s cyber security. Much remains to be done.