What India's Cyber Policy Needs NowSecurity Experts Weigh In on Roles and Goals
Information security experts believe that the National Cyber Security Policy, although currently only a draft document, can come to life and succeed with a clearly defined strategy.
The draft policy needs to define the scope and methodology in building a resilient cyberspace, sources say, with the right resources defined, as well as a clear demarcation of their roles and responsibilities. The policy also should strictly follow the cybersecurity life cycle process in creating an effective response strategy.
"The immediate task for policy makers is to define the milestones to be achieved regarding the government's vision to build a secure and resilient cyberspace," says Prashant Mali, High Court Advocate, a cyber-law and cybersecurity expert.
One of the key steps, according to Mali, is to produce a research report on the legal implications of the policy measures and articulate it to citizens and institutions alike to ensure that it is well thought out.
The discussion comes against the backdrop of India's Prime Minister Narendra Modi emphasizing the need for a 'digital armed force' in conjunction with the 'Digital India' initiative for the country, so as to face increasing threats from cyberspace.
To recap, the National Cyber Security Policy, approved in July 2013, outlines the basic objectives and strategies "to build a secure and resilient cyberspace for citizens, businesses and the government." It also envisages facilitating the creation of a secure computing environment and enabling adequate trust and confidence in electronic transactions, as well as guiding stakeholders' actions for protection of cyber space.
Make It Operational
Asked for analysis of the draft policy, some experts argue that the existing policy talks about threats and cybersecurity, but the institutional mechanism to run the functions is missing.
Neeraj Aarora, attorney and forensic examiner, says the practical approach required to make the policy operational would include:
- Classification of threats;
- Defining the role of the stakeholders, including public/private sectors;
- Employing independent institutions to monitor the implementation of various steps of the cybersecurity lifecycle, including identify, protect, detect, respond and recover.
A smart approach, say a few, would be to identify the right resources and segregation of responsibilities with effective monitoring mechanisms that can fetch the desired results.
Some experts seek more clarity on operational methodology and laying down short-term and long-term goals that the government wants to achieve in securing cyberspace.
"Clearly articulating plans around cyber threats awareness initiatives, protection of resilience of critical e-information infrastructure, promotion and advancement in research and development activities by the government etc., would be a pragmatic approach," says Chennai-based V Rajendran, president of the Cyber Society of India, Chennai Chapter.
Bangalore based Prasenjit Saha, president & CEO, infrastructure management and security services at Happiest Minds, a technology consulting company, says understanding the technology capabilities of vendors, and ensuring stakeholders' focus on cybersecurity for spotting the evolving threat landscape, will help meet the intended goals.
Having a successful response strategy for cybersecurity is critical, and Saha recommends policy makers focus on six layers: Risk aware, environment aware, data aware, business aware, complete visibility and hidden intelligence, which can help in developing an overall threat and response model.
Response to ExpertsResponding to experts' views, Dr. Gulshan Rai, director general of the Indian Computer Emergency Response Team, confirms that the strategic objectives of the policy are being supplemented with clear-cut road maps for achieving the intended goals at all levels within the government, as well as at individual sectors and organization levels.
As a practical approach, Rai says that actions and initiatives of the government alone would not be sufficient to achieve the intended objectives in terms of scale and reach.
"To make it more realistic and operational, the skills and capabilities of the private sector are being tapped into through the PPP mechanism," Dr. Rai says. "There is scope for enhancing the involvement of the private sector to cut down the time needed to achieve the objectives."
Security experts and CERT's Dr. Rai agree that maturity in cyber-activities is not a restricted to a handful of developed nation states. It is essential to develop global cyberspace norms to regulate and guide responsible behaviour in cyberspace.
The policy will be made practical to fight against cyberterrorism by way of enhanced coordination among all government agencies on information sharing.
While there is no defined time line to put the policy into practice, efforts are under way to give it a shape soon with clear implementation plans in place.