Much like the space it aims to protect, India’s cyber security policy, launched this week, is characterised by a striking duality of purpose. On the one hand, it seeks to guard, and thus strengthen, the country’s strategic assets and online intelligence infrastructure. On the other, it hopes to secure the transactions of citizens, companies and public services on the web. The latter, more enabling goal is intended to promote the volume of e-commerce and the reliability of e-governance in India. But any attempt to harmonise the two objectives must be weighed against the United Progressive Alliance’s track record on Internet regulation. This cyber security policy emerges from a government that has systematically brought its legislative tools (Section 66A of the Information Technology Act, 2000) and surveillance machinery (the Central Monitoring System) to bear adversely on privacy. Protecting cyber space, as the policy acknowledges, involves streamlining best practices in data security, identifying sensitive and vulnerable online content, and monitoring compliance — aspects that require entrenched collaboration between various government bodies, telecom and Internet giants, corporate entities, as well as enforcement agencies. Therefore, it is important to ensure the cyber security policy does not end up institutionalising the flow of private data to the government’s already vast and unregulated snooping systems.
Unfortunately, this is precisely the direction the policy takes in its current avatar. The UPA has sought to create national nodal agencies to “coordinate all matters relating to cyber security,” a task that includes spelling out policy guidelines, managing crises, and performing periodic security audits. The power to propose, implement and monitor India’s cyber security regulations has been concentrated in the hands of a few agencies without specifying what participatory role, if any, civil society and industry will play in them. Where Information and Communication Technology guidelines are prescriptive, the government plans to offer tax incentives for companies conforming to them, effectively coercing the latter into obedience. Most importantly, the policy fails to address the scope of oversight, parliamentary or judicial, that such entities will be subject to. Already, India’s CMS thrives on telephonic and internet surveillance that is unbridled by law. Where legislation exists, like in the United States, Britain and France, it has struggled to keep pace with changes in technology. The UPA’s cyber security policy is a laudable attempt to stay ahead of this curve. But the government should now orient its goals towards protecting India’s networked society and economy, not policing them.