Reports this week have suggested a cyberattack in September on the Kudankulam nuclear power project in Tamil Nadu. This has been subsequently denied by government officials, even as an audit confirmed that an ‘incident’ had indeed occurred, but not on the main operations of the plant. In such a context, GoI’s scheduled release of the National Cybersecurity Strategy 2020 in January-February next year becomes all the more important.
The Cybersecurity Policy of 2013 is open and technology neutral. But it needs upgradation. The digital economy today comprises 14-15% of India’s total economy, and is targeted to reach 20% by 2024. India has more than 120 recognised ‘data centres’ and clouds.
The average data consumption per person a year is in the range of 15-20 gigabits. The growth rate in data generation is more than 35%. With more inclusion of artificial intelligence (AI), machine learning (ML), data analytics, cloud computing and Internet of Things (IoT), cyberspace will become a complex domain, giving rise to issues of a techno-legal nature.
Sectors such as healthcare, retail trade, energy and media face advance persistent threats (APTs), as the latest reports of an Israeli spyware allegedly used to spy on Indian journalists and human rights activists attest. These incidents relating to data leakage, ransomware, ATM/credit cards denial of service, diversion of network traffic intrusion in IT systems and networks using malware are on rise.
Attacks on embedded systems and IoT have also registered a sharp increase of late. Such incidents are being launched from cyberspace of different international jurisdictions.
Countries have now started taking different approaches, which include tackling matters related to data sovereignty, data localisation, internet governance, handling fake news and international law. The change in military doctrines favouring the need to raise cyber commands reflects a shift in strategies, which include building deterrence in cyberspace.
The concept of ‘active cyber defence’ is generally being adopted to address the new challenges. Examples of this are EU’s General Data Protection Regulation (GDPR), Asia-Pacific Economic Cooperation’s (Apec) Cross-Border Privacy Rules (CBPR), and the US’ Clarifying Lawful Overseas Use of Data (CLOUD) Act.
The global multi-stakeholder model of internet governance is showing cracks. The UN Group of Governmental Experts (GGE) could not conclude its report in 2015. Such has been the geopolitical nature of cybercrime that in 2018, the UN set up two parallel groups — the aforementioned GGE and the Open-Ended Working Group (OEWG) — to tackle norms of behaviour in cyberspace.
In India, the private sector has started playing a significant role in operating critical information infrastructure, particularly in power, transportation and healthcare. It is now more necessary than ever before to take cognisance of new directions and shifts in policies across the world.
It will be necessary to undertake a thorough risk and gap assessment of the current cyber resilience of India’s various economic sectors, as well as that of the governance structure that enforces and manages the cybersecurity policy and framework. National cybersecurity projects such as the National Cyber Coordination Centre (NCCC), National Critical Information Infrastructure Protection Centre (NCIIPC) and the Computer Emergency Response Team (CERT) need to be strengthened manifold and reviewed.
Anational cybersecurity strategy outlines a country’s cybersecurity vision and sets out the priorities, principles and approaches to managing cybersecurity risks. It would be more appropriate to have two national documents. One, a concise ‘National Cybersecurity Strategy’ that sets clear, top-down directions to enhance the cyber resilience for the ecosystem that includes government, public and private sectors, the citizenry, and also addresses international cyber issues.
Two, a separate ‘Cybersecurity Policy’ based on principles laid down in ‘strategy’. It must be outcome-based, practical and globally relevant, as well as based on risk assessment and understanding of cyberthreats and vulnerabilities. The security framework must include the compulsory testing of cyber products, infrastructure skill capacity development, responsibilities of entities and individuals, and public-private partnerships.
An accountable national cybersecurity apparatus must be provided clear mandates and be empowered adequately. It must be able to supervise and enforce policies across India, including policies regulated by independent regulators.
The writer is former National Cybersecurity Coordinator, Prime Minister’s Office, GoI