Status of India’s National Cyber Security Strategy


    In Context 

    Indian organisations witnessed a 218% increase in ransomware attacks in 2021, making the nation the tenth most targeted country globally and second after Australia in the Asia-Pacific region.

    • Amid a surge in cyberattacks on India’s networks, Centre is yet to implement the National Cyber Security Strategy which has been in the works since 2020.

    Significance and need of cybersecurity strategy

    • As per American cybersecurity firm Palo Alto Networks’ 2021 report, Maharashtra was the most targeted state in India — facing 42% of all ransomware attacks. 
      • India is among the more economically profitable regions for hacker groups and hence these hackers ask Indian firms to pay a ransom, usually using cryptocurrencies, in order to regain access to the data. 
        • One in four Indian organisations suffered a ransomware attack in 2021 — higher than the global average of 21%.
      • Software and services(26%), capital goods (14%) and the public sector (9%) were among the most targeted sectors. 
        • Increase in such attacks has brought to light the urgent need for strengthening India’s cybersecurity.

    What is the National Cyber Security Strategy?

    • Conceptualised : by the Data Security Council of India (DSCI) 
    • Aims : To ensure a safe, secure, trusted, resilient, and vibrant cyberspace for India.
    • Focused Areas :
      • Large scale digitisation of public services: Focusing on security in the early stages of design in all digitisation initiatives, developing institutional capability for assessment, evaluation, certification, and rating of the core devices and timely reporting of vulnerabilities and incidents.
      • Supply chain security: Monitoring and mapping of the supply chain of the Integrated circuits (ICT) and electronics products, scaling up product testing and certification, leverage the country’s semiconductor design capabilities globally at strategic, tactical and technical level.
      • Critical information infrastructure protection: Integrating Supervisory control and data acquisition (SCADA) security with enterprise security, monitoring digitisation of devices, evaluating security devices, maintaining a repository of vulnerabilities, preparing an aggregate level security baseline of the sector and tracking its controls, devising audit parameters for threat preparedness and developing cyber-insurance products
      • Digital payments: Mapping and modelling of devices and platform deployed, supply chain, transacting entities, payment flows, interfaces and data exchange, routine threat modelling exercises to disclose vulnerabilities, threat research and sharing of threat intelligence, timely disclosure of vulnerabilities
      • State-level cyber security: Developing state-level cybersecurity policies, allocation of dedicated funds, critical scrutiny of digitization plans, guidelines for security architecture, operations, and governance
      • Security of small and medium businesses: Policy intervention in cybersecurity granting incentives for higher level of cybersecurity preparedness, developing security standards, frameworks, and architectures for the adoption of Internet of Things (IoT) and industrialisation
    • Recommendations : To implement cybersecurity in the above-listed focus areas, the report lists the following recommendations:
      • Budgetary provisions:
        • A minimum allocation of 0.25% of the annual budget, which can be raised upto 1% has been recommended to be set aside for cyber security.
        •  In terms of separate ministries and agencies, 15-20% of the IT/technology expenditure should be earmarked for cybersecurity.
        • The report also suggests setting up a Fund of Funds for cybersecurity and providing Central funding to States to build capabilities in the same field. 
        •  it is recommended to adhere to practices based on discovery, visibility and risks of critical information.
    • Research, innovation, skill-building and technology development:
      • The report suggests investing in modernisation and digitisation of Integrated Circuits (ICT), setting up a short and long term agenda for cyber security via outcome-based programs and providing investments in deep-tech cyber security innovation.
      •  In a bid to attract experts to work on cybersecurity, it is recommended to host hackathons, hands-on workshops, simulations on security on both national and state levels.
      • Furthermore, a national framework should be set in collaboration with institutions like National Skill Development Corporation (NSDC) and ISEA (Information Security Education and Awareness) to provide global professional certifications in security. DSCI further recommends creating a ‘cyber security services’ with cadres chosen from the Indian Engineering Services.
    • Crisis management:
      • For adequate preparation to handle a crisis, DSCI recommends holding cybersecurity drills which include real-life scenarios with their ramifications. 
      • In critical sectors, simulation exercises for cross-border scenarios must be held on an inter-country basis. To identify possible weaknesses and exploitations in systems, DSCI recommends sharing of threat information between government departments.
    • Cyber insurance:
      • Cyber insurance being a yet to be researched field, must have an actuarial science to address cybersecurity risks in business and technology scenarios as well as calculate threat exposures.
      •  DSCI recommends developing cyber insurance products for critical information infrastructure and quantifying the risks involving them.
    • Cyber diplomacy:
      • Cyber diplomacy plays a huge role in shaping India’s global relations. 
      • Hence cyber security preparedness of key regional blocks like BIMSTEC and SCO must be ensured via programs, exchanges and industrial support. 
      • To further better diplomacy, the government should promote brand India as a responsible player in cyber security and also create ‘Cyber envoys’ for the key countries/regions, suggests DSCI. 
      • For a robust internet infrastructure, DSCI suggests keeping critical infrastructure, the root server of programs controlling and governing India, inside India.
    • Cybercrime investigation:
      • With the increase in cybercrime across the world, the report recommends unburdening the judicial system by creating laws to resolve spamming and fake news.
      •  It also suggests charting a 5-year roadmap factoring possible technology transformation, setting up exclusive courts to deal with cybercrimes and removing backlog of cybercrimes by increasing centres providing opinion related to digital evidence under section 79A of IT act.
      • DSCI suggests advanced forensic training for agencies to keep up in the age of AI/ML, Blockchain, IoT, Cloud, Automation. Law enforcement and other agencies should partner with their counterparts abroad to seek information from service providers overseas. 
      • The report also suggests creating a special cadre of Cybercrime investigators.

    What is the progress in its implementation?

    • In the recent Budget session of Parliament, several MPs questioned the Ministry of Electronics & Information Technology (MEiTy) on when the Centre plans to introduce the policy.
    • In response, the Centre clarified that it has “formulated a draft National Cyber Security Strategy 2021 which holistically looks at addressing the issues of security of national cyberspace.
      • Without mentioning a deadline for its implementation, Centre added that it had no plans as of yet “to coordinate with other countries to develop a global legal framework on cyber terrorism.”

    What more needs to be done in this context?

    • The need of the hour is to come up with a futuristic National Cyber-Security Policy which allocates adequate resources and addresses the concerns of the stakeholders. 
    • Similarly, there is a need for quicker up-gradation of the existing infrastructure as information technology is a fast-evolving field and there is a need to stay ahead of the competition.
    • There is a need to enhance the general awareness levels of the government installations as well as the general public to counter such threats.
    • Often the private sector is seen as a key innovator and their help can be crucial in securing cyberspace.