The Indian government’s Cyber Security Policy — to be unveiled on Tuesday — will have a wide reach, with a National Nodal Agency being set up which will cover and coordinate security for all strategic, military, government and business assets.
This is distinctive, since, so far, national security regimes have been divided among the Ministry of Defence (for securing India’s borders) and the Ministry of Home Affairs (for national and internal security across States).
The policy, however, plans to “create national and sectoral level 24x7 mechanisms for obtaining strategic information regarding threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective, predictive, preventive, proactive response and recovery actions”.
Speaking to The Hindu , Telecom Minister Kapil Sibal said, “Cyber security is critical for economic security and any failure to ensure cyber security will lead to economic destabilisation.”
The second defining aspect of the policy is the level at which it envisages public-private partnership to protect national assets.
There is a clear recognition in the policy that, apart from India’s IT, technology and telecommunications services, large parts of financial & banking services, airline & transportation services, energy and healthcare assets are not only owned by the private sector but, in fact, remain vulnerable to cyber-attacks, both from state and non-state actors. India already has 800 million active mobile subscribers and 160 million other Internet users of which nearly half are on social media. India targets 600 million broadband connections and 100% teledensity by 2020. Internet traffic in India will grow nine-fold by 2015 topping out at 13.2 exabytes in 2015, up from 1.6 exabytes in 2010.
The ICT sector has grown at an annual compounded rate of 33% over the last decade and the contribution of IT and ITES industry to GDP increased from 5.2% in 2006-7 to 6.4% in 2010-11, according to an IDSA task force report of 2012.
The policy lays out 14 objectives which include creation of a 5,00,000-strong professional, skilled workforce over the next five years through “capacity building, skill development and training”. The document identifies eight different strategies for “creating a secure cyber eco-system” including a designated “national nodal agency to coordinate all matters related to cyber security”. The policy discusses the need for “creating an assurance framework” apart from encouraging open standards to “facilitate inter-operability and data exchange amongst different products or services”.
There is in place a plan to operate and strengthen the national Computer Emergency Response Team (CERT-In) to operate 24x7 and to act as a nodal agency for all efforts for cyber security, emergency response and crisis management, as an umbrella agency over CERTs.
One of the key objectives for the government is to secure e-governance services where it is already implementing several nationwide plans including the “e-Bharat” project, a World Bank-funded project of Rs. 700 crore.
Several other key services under the national e-governance plan resulting in approximately 1.56 crore e-transactions per month, will be protected under the security policy.
Protection centre
A crucial aspect of the policy is building resilience around the Critical Information Infrastructure (CII) by operationalising a 24x7 Nation Critical Information Infrastructure Protection Centre (NCIIPC). The Critical Information Infrastructure will comprise all interconnected and interdependent networks, across government and private sector.
The NCIIPC will mandate a security audit of CII apart from the certification of all security roles of chief security officers and others involved in operationalising the CII.
The policy will be operationalised by way of guidelines and Plans of Action, notified at national, sectoral, and other levels.
While there is a recognition of the importance of bilateral and multilateral relationships, the policy does not clearly identify India’s position vis-à-vis the Budapest Convention even though government delegations have attended meetings in London and Budapest on related issues in 2012.
