The National Cyber Security Policy 2013 was introduced in the wake of cyber-attacks on sensitive public infrastructure in India, the United States and China and the growing realisation that important technology assets located within the country require protection. Since then there have been several incidents of leakage of classified information that have further raised national security and privacy concerns. In response, the government of India introduced its policy earlier this year, with the objective of creating a safe and resilient online ecosystem for government, businesses and citizens.

This paper briefly examines the key features of the policy, the extent to which it provides a solution to the cybersecurity threats faced by the nation and its implications on the use of the internet by businesses and individuals.

The policy extends to public and private IT infrastructure and attempts to create a secure environment for IT related transactions in cyberspace by ensuring government oversight of information technology activities. For this purpose the Policy has established a National Level Computer Emergency Response Team (CERT-In) responsible for coordinating all cybersecurity matters in the country.

It also proposed that appropriate institutions, systems and processes be developed to manage cyber incidents. Where required, government officials will be appropriately trained. A National Critical Information Infrastructure Protection Centre (NCIIPC) will be established to predict, prevent, protect and respond to such incidents.

Given the very real threat of a cyber-security attack that could, potentially, impact critical national resources and public safety, the government plans to implement a Cyber Crisis Management Plan to gauge the level of preparedness of the nation.

The Policy recognises the need to develop a dynamic legal framework to address evolving cybersecurity concerns such as advancements in cloud computing and mobile technologies, social media and encryption services. It also recommends periodic review of the legislation given the rapid advances in technology. In subsequent interviews, the Minister of Communications and Information Technology has emphasised the need to bring domestic laws into line with global practices and standards, particularly those relating to internet governance. Open standards in the public and private sector will be encouraged to facilitate interoperability and data exchange.     

Detailed guidelines and plans of action to address security concerns at each level to ensure the effective implementation of the policy will follow.

The policy is the result of the efforts of various stakeholders who have worked with the government to formulate a comprehensive plan and mitigation strategy to protect, with the assistance of the private sector, the country’s IT infrastructure from cyberthreats.

To achieve this, the policy will require key industries with critical technology infrastructure such as defence, aviation, energy and telecommunications to upgrade their security systems and policies o global standards. This would include the creation of an assurance framework mandating global security standards and best practices across products, technologies, processes and personnel for the public and private sectors.

Further the policy recommends that public and private organisations designate a member of senior management as the chief information security officer who would be responsible for cybersecurity efforts and initiatives. Separate budgets will also have to be earmarked to implement such initiatives.

The policy actively encourages the development and use of indigenous security technologies. It also stresses the importance of public-private partnerships in training, research and manufacturing of security systems that would help boost the economy and also increase trust and confidence in online businesses in India, attracting investments from abroad in varied sectors that rely on information technology systems.

Analysis

The policy is a first step to developing more robust cybersecurity in the country. It describes the framework within which laws will require to be formulated and enacted. What is missing is an understanding of key terms, such as ‘critical infrastructure’, which are necessary to understand how far the government’s oversight will extend.

The policy emphasises the importance of indigenous technologies and encourages the use of such technologies to build stronger infrastructure systems. This is along the same lines as the preferential market access policy that the government has been promoting for some time now. While this is intended to be a fillip to domestic firms, India has precious few firms that manufacture high-end security equipment. If the use of indigenous products is made mandatory under the policy then the country will have to delay implementation until the manufacturing infrastructure is established, or, will need to settle for less. It is unlikely that international security companies will offer the government of India access to their intellectual property by establishing manufacturing facilities in India.

The policy indicates that steps will be taken to strengthen the regulatory framework to ensure a secure cyberspace ecosystem in the country. However, it provides no indication of what this framework will extend to and how the regulations will be enforced. At present, the enforcement of cybercrimes are left to local police officers who are ill equipped to understand the nuances of cybercrimes and the distinction between cybercrimes and more traditional offences. This lack of a basic understanding of the enforcement of laws regulating the internet has already resulted in unfortunate instances of overzealous prosecution of innocent internet users. It is critical to the successful implementation of the new internet governance mechanism that appropriate measures be put in place to educate law enforcement agencies.