Data Security Council of India has prepared a report focussing on 21 areas to ensure a safe and vibrant cyberspace for India.
Need for India’s Cyber Security Strategy
- Increasing number of Cyber-attacks: According to American cybersecurity firm Palo Alto Networks’ 2021 report, Maharashtra was the most targeted State in India — facing 42% of all ransomware attacks in India.
- One in four Indian organisations suffered a ransomware attack in 2021. Indian organisations witnessed a 218% increase in ransomware — higher than the global average of 21%.
- Software and services (26%), capital goods (14%) and the public sector (9%) were among the most targeted sectors
- Cyber-attacks Undermines data privacy of citizens.
- Cyber security threat is an emerging concern for India’s National Security.
- India has been victim to the Cyber-attacks number of times in the recent past:
- 2017: WannaCry and Petya Ransomware
- 2018: Aadhaar Software hacked and Aadhaar details of the people leaked online
- 2021: Pegasus issue
- India is 3rd most vulnerable country to Cyber-attacks according to by Symantec.
Outdated Cyber Security Policy 2013
- Created in the wake of Surveillance scandal of American National Security Agency leaks by Edward Snowdown back in 2013. Since then, new challenges have emerged which need to be addressed.
- India is among top ten countries facing cyber-attacks.
- Cyber landscape has witnessed growing digitization as part of the Government’s Digital India push, as well as more sophisticated cyber threats, particularly the WannaCrypt and Petya ransomware attacks.
- Government must proactively address India’s ability to respond effectively to cyber threats by outlining an institutional framework ensure India’s digital safety.
- Need for mechanisms for coordination between multiple agencies responsible for cyber security.
- Shortage of cyber security professionals.
- Little progress in Public private partnership envisaged by the 2013 Policy.
- Fostering greater civil-military cooperation on cyber security.
Cyber Threats can be of Four Types
- Cyber Espionage: The act or practice of obtaining secret information i.e., personal, sensitive, classified nature from individuals, competitors or governments using malicious software such as Trojan horses and spyware. Motive is to obtain secret information which could go against our national security.
- Cyber Attack: Targets computer information systems, infrastructures, computer networks. Motive is to damage targeted computer network or system. Impact: Destruction of Communication network.
- Cyber Terrorism: Convergence of terrorism and cyber space. Cyberspace has been used by terrorists for purposes such as Planning terrorist attacks, recruitment of sympathizers, spreading propaganda to radicalise people and to raise funding etc.
- Cyber warfare: Warfare conducted by a country or its proxies to attack computer systems in other countries. Includes Theft, Vandalism (Defacing Web Pages), Destruction of Critical information infrastructure.
Focus areas of cyber security strategy
- Large scale digitisation of public services: There needs to be a focus on security in early stages of design in all digitisation initiatives and for developing institutional capability for assessment, evaluation, certification, and rating of core devices.
- Supply chain security: Robust monitoring and mapping of supply chain of Integrated circuits and electronics products. Product testing and certification needs to be scaled up, and country’s semiconductor design capabilities must be leveraged globally.
- Critical information infrastructure protection: Supervisory control & data acquisition (SCADA) security should be integrated with enterprise security. A repository of vulnerabilities should be maintained.
- Digital payments: Mapping and modelling of devices and platform deployed, transacting entities, payment flows, interfaces and data exchange as well as threat research and sharing of threat intelligence.
- State-level cyber security:State-level cybersecurity policies and guidelines for security architecture, operations, and governance need to be developed.
Suggestions by the Report
- Budgetary provisions: A minimum allocation of 0.25% of annual budget, which can be raised up to 1% has been recommended to be set aside for cyber security. 15-20% of IT/technology expenditure should be earmarked for cybersecurity. Setting up a Fund of Funds for cybersecurity and to provide Central funding to States to build capabilities.
- Research, innovation, skill-building and technology development:
- Investing in modernisation and digitisation of ICTs, setting up a short- and long-term agenda for cyber security via outcome-based programs and providing investments in deep-tech cyber security innovation.
- A national framework should be devised in collaboration with institutions like National Skill Development Corporation (NSDC), ISEA (Information Security Education and Awareness) to provide global professional certifications in cybersecurity.
- Creating a ‘cyber security services’ with cadre chosen from the Indian Engineering Services.
- Crisis management: Holding cybersecurity drills which include real-life scenarios with their ramifications. In critical sectors, simulation exercises for cross-border scenarios must be held on an inter-country basis.
- Cyber insurance: Developing cyber insurance products for critical information infrastructure and to quantify the risks involving them.
- Cyber diplomacy: Cyber diplomacy plays a huge role in shaping India’s global relations. To further better diplomacy, the government should promote brand India as a responsible player in cyber security and create ‘cyber envoys’ for the key countries/regions.
- Cybercrime investigation: Unburdening the judicial system by creating laws to resolve spamming and fake news. Charting a five-year roadmap factoring possible technology transformation, setting up exclusive courts to deal with cybercrimes and remove backlog of cybercrimes by increasing centres providing opinion related to digital evidence under section 79A of the IT act.
- Advanced forensic training for agencies to keep up in the age of AI/ML, blockchain, IoT, cloud, automation. Law enforcement and other agencies should partner with their counterparts abroad to seek information of service providers overseas.
Draft National Cyber Security Strategy 2021
Centre has formulated a draft National Cyber Security Strategy 2021 which holistically looks at addressing issues of security of national cyberspace. Without mentioning a deadline for its implementation, Centre had no plans yet to coordinate with other countries to develop a global legal framework on cyber terrorism.
National Security Council
- All aspects of national security are deliberated upon by National Security Council (NSC), an apex body headed by Prime Minister.
- Ministers of Home Affairs, Defence, External Affairs and Finance are its members.
- National Security Adviser is its secretary.
- Three tier structure of the NSC comprises
- Strategic Policy Group (SPG),
- National Security Advisory Board (NSAB) and
- National Security Council Secretariat.
- SPG is chaired by Cabinet Secretary: Principal forum for coordination & integration of inputs.
- NSAB undertakes long-term analysis and provides perspectives on issues of national security.
CERT- IN REGULATIONS
Indian Computer Emergency Response Team (CERT-In) issued directions, in accordance with Information Technology Act, 2000 about information security policies, procedures, prevention, response, and reporting of cyber events. The directions have come in effect and will apply to “service providers, intermediaries, data centres, body corporate, and government organisations.
Need for these rules
- Data breach poses a grave cyber security threat.
- Critical information of Indian users is compromised and may be accessible to malicious parties.
- Cybersecurity comprises impact both private and public agencies.
- CERT-In reported a total of 48,285 government-related cyber security incidents in 2021.
- CERT-In has struggled for some time to obtain information and incident reports from service providers, intermediaries, and corporations.
- Rules address issue of inadequate legal framework, lack of transparency, and significant danger of privacy infringement via cyber-security infringements.
Salient Features of CERT-IN Directions
- Will apply to service providers, intermediaries, data centres, body corporate & government organisations.
- Companies are obligated to disclose cybersecurity incidents, specifically those enlisted within directions, to CERT-In within 6 hours of discovering them.
- Compels organisations to offer CERT-In with information or any other such assistance to CERT-In that may contribute to cyber security mitigation actions & better cyber security situational awareness.
- Requires extensive documentation for services such as data centres, virtual private server providers, cloud service providers, and VPN services.
- Customer identification, when subscriptions were active, IP addresses assigned to them, contact numbers, and other information would be stored for 5 years by these services.
- Places virtual assets under jurisdiction of Finance Ministry financial regulations and mandates that they maintain all information obtained as part of KYC and records of financial transactions for 5 years to ensure cyber security in payments and financial markets.
- Requires system administrators to connect to Network Time Protocol servers administered by National Informatics Centre, National Physical Laboratory, or NTP servers traceable to these NTP servers, to ensure system synchronisation pan-India.
Concerns with the CERT-IN Rules
- Fail to distinguish between incident’s scope and character. A company may get hundreds of phishing emails, and the work required to notify each recipient would significantly increase compliance costs.
- Wide scope and intrusive: Mandates organisations to mandatorily enable logs on all their ICT systems.
- Increased Compliance burden: A lack of clarity on the scope of “all their ICT systems” gives rise to several concerns, such as the government having access to or companies holding more data than necessary.
- The phrases “Data Centres,” “Virtual Private Server (VPS) providers,” “Cloud Service providers,” and “Virtual Private Network Service (VPN Service) providers” are not specified.
- No definitions for terminology such as “service providers,” “intermediaries,” and “body corporate.”
- Concerns regarding the collection and storage of data beyond purpose or need are exacerbated by the need for maintaining logs for a rolling period of 180 days and maintenance of data for 5 years or longer.
- Some service providers and VPNs assert that they do not keep records due to their commitment to privacy.
- Many service providers might be compelled to leave the Indian market making these technologies costlier.Introduces soft data localization norms where organisations must mandatorily enable logs of all their ICT systems a copy of data must be stored in India.
- Such data localisation can inhibit innovation and the free flow of data across international borders.
- Increased compliance costs would discourage international firms from bringing their services and goods to India.
- This could prevent Indian users from gaining access to these services.
- Concerns have also been raised about state-sponsored mass monitoring.
- Many of these companies are based in US and Europe, which could strain relations.