The rapid expansion of digital penetration in India brings with it the need to strengthen cybersecurity. The critical nature of the myriad cyber threats that India faces was underscored by the recent breach at the Kudankulam nuclear power plant and the Indian Space Research Organisation. These were just two of the 1,852 cyber-attacks that are estimated to have hit entities in India every minute in 2019. Symantec’s 2019 Internet Security Threat Report ranks India second on the list of countries affected by targeted attack groups between 2016 and 2018.
It’s clear that India faces expanded and more potent cyber threats. Given this fact, the new national cybersecurity policy, set to be announced early next year, should improve on the shortcomings of the previous policy of 2013. The most significant of these were the absence of clear, measurable targets, failure to set standards for the private sector and limited focus on international collaboration.
In many ways, the broad thrust of the 2013 policy was on point. It argued for the need to build a “secure and resilient cyberspace,” given the significance of the IT sector to foster growth while leading to social transformation and inclusion. This called for creating a “secure computing environment and adequate trust and confidence in electronic transactions, software, services, devices and networks”. Since then, certain steps have been taken to operationalise the policy. These include the establishment of the National Cyber Security Coordination Centre and Cyber Swachhta Kendra along with announcements to set up sectoral and state CERTs and expand the number of standardisation, testing and quality certification testing facilities. However, much more needs to be done and that too at a faster pace.
While it is no one’s argument that state capacity can be augmented overnight, setting clear targets can help drive action towards an identified goal. Moreover, the lack of these in the 2013 policy means that it is extremely difficult today to assess whether the policy had the desired impact. Five-year plans are well-written documents, whether or not you agree with the goals they outline for the nation or even if the five-year approach is right at all.
The most quantifiable item on the agenda for the 2013 cybersecurity policy was the objective to create a workforce of 500,000 professionals skilled in cybersecurity in the next five years through capacity building, skill development, and training. The objective set a number that one can look at five years from then and see if they exceeded or fell short of expectations. And the data in this regard is sobering. For instance, in 2018, IBM estimated that India was home to nearly 100,000 trained cybersecurity professionals. What’s further alarming is that it estimated the total number needed at nearly three million. The 2020 policy must, therefore, not just identify clear targets but also identify the ways and means through which that target should be met.
Almost everything else in the 2013 document was fairly ambiguous. It contained repeated references to adopt and adhere to global standards for cybersecurity. However, there was no clarity on what specific standards should be followed and how long industry should take to adopt them.
This brings us to the second shortcoming. The policy at the time was hoping to balance a trade-off between encouraging innovation while ensuring that basic standards for security and hygiene were met. When it comes to the private sector, it repeatedly used words such as “encourage”, “enable” and “promote”, being careful to not make anything mandatory. Even when it did mandate something, say global best practices for cybersecurity to critical infrastructure, it is hard to say how it planned to declare the mandate a success or a failure. This is again a pitfall that the 2020 policy must avoid. The policy must establish or identify standards that the industry should adopt within a fixed timeframe. Also, there is a need for the government to engage with the private sector, particularly when it comes to sharing skills and expertise.
Finally, when it comes to international collaboration, the 2013 policy argued for developing bilateral and multilateral relationships in the area of cybersecurity with other countries and to enhance national and global cooperation among security agencies, CERTs, defence agencies and forces, law enforcement agencies and the judicial systems. Since then, India has entered into a bunch of cybersecurity-related MoUs. However, there is an urgent need to set into place domestic frameworks, say for instance with regard to data protection, which will enable broader global collaboration and participation in rule setting. Unfortunately, this has not been happening. For instance, India was not a signatory to the Budapest convention which would have allowed for easier access to data for law enforcement. It also did not enter into an executive agreement under the US-initiated CLOUD Act. On a related note, the government also did not sign the Osaka Track, a plurilateral data sharing agreement proposed at the 2019 G20 Summit. These are important dialogues that India must be part of if it needs to build a resilient and thriving cyber ecosystem.