A central part of the Government of India’s development policy is the “Digital India” campaign, aimed at digitally empowering Indian citizens by boosting connectivity, expanding access, and improving electronic delivery of government services. However, as it makes progress on these goals, and as threats in cyberspace continue to grow, India needs to prioritize the security of the personal data of its citizens and update its Cyber Security Policy.
India announced its first ever national-level Cyber Security Policy in 2013, against the backdrop of revelations of NSA surveillance. The policy, which was articulated by the Ministry of Communications and Information Technology, served as “basically a statement of first principles” rather than a comprehensive framework for cybersecurity policy, according to Arun Sukumar, the head of the Cyber Security and Internet Governance Initiative at the Observer Research Foundation. Now, four years after its inception, the government needs a new policy that outlines a specific framework towards implementing broad principles outlined in the 2013 policy.
The Need for A New Policy
In the last four years since the announcement of the Cyber Security Policy, India’s cyber landscape has witnessed growing digitization as part of the Government’s Digital India push, as as well as more sophisticated cyber threats, particularly the WannaCrypt and Petya ransomware attacks that hit Indian networks this year. These radical changes necessitate a revision and update to India’s policy on Cyber Security.
Beyond responding to the changing cyber landscape, the government must also proactively address India’s ability to respond effectively to cyber threats by outlining an institutional framework ensure the country’s digital safety. Indeed, cyber policy in the Indian government has multiple stakeholders, ranging from the Ministry of Electronics & Information Technology, National Critical Infrastructure Information Protection Center, the Ministry of Home Affairs through its oversight of investigative authorities, and the newly created National Cyber Coordination Centre. Rudra Murthy, the Chief Information Security Officer of Digital India within the Ministry of Home Affairs, argues that because of these multiple stakeholders, “there would be confusion as to whom to approach,” and called for an updated cyber policy to include “an institutional arrangement” to respond effectively to threats.
From Broad Principles to Comprehensive Implementation
The 2013 Policy took a welcome first step in outlining the broad principles of how India can approach cyber security. However, the government of India needs an updated policy to move beyond simply a statement of principles and outline how to operationalize cyber security, from training cybersecurity personnel, to establishing public-private partnerships, and to facilitating civil-military collaboration.
The National Cyber Security Policy broadly outlined a vision for “To create a workforce of 500,000 professionals skilled in cyber security in the next 5 years through capacity building, skill development and training” in 2013. After nearly four years, the number for such skilled personnel is only 50,000 or 10% according to latest reports. An updated Cyber Security Policy should outline specific guidelines for the training and recruitment of such cyber specialists in a time-bound manner.
Public-private partnerships were a central feature of India’s cyber policy as well. The policy called for the “develop[ment] effective public private partnerships and collaborative engagements through technical and operational cooperation and contribution for enhancing the security of cyberspace.” However, there has been little development on this space. Industry partners such as the Information Systems Audit and Control Association (ISACA), the National Association of Software and Services Companies (NASSCOM), and the Data Security Council of India (DSCI) have collaborated to address private sector cyber security needs, but these processes have not yet aligned with government efforts. Addressing this gap must be at the heart of the government’s updated policy.
Another area of priority for a new cyber security policy must be fostering greater civil-military cooperation on cyber security. A group of eighty leading defense, strategic and intelligence officials, ranging from former Director of the Intelligence Bureau PC Haldar, former Admiral Arun Prakash, former Chief of the Air Staff PV Naik, and former Foreign Secretary Shyam Saran called upon Prime Minister Modi to “take urgent steps” to improve India’s cyber security standards. In particular, they highlighted the need for “more regular, more formalised interaction” between the civilian and military branches of government. The government’s updated policy must go beyond the vision of greater collaboration outlined in the 2013 policy, and outline the frameworks for such greater collaboration, potentially under the aegis of the newly created National Cyber Coordination Centre operationalized in August 2017.
Given the rapid transformation of the cyber landscape since 2013, as well as the need for a more comprehensive framework for the operationalization of the vision of cyber security policy as laid out by the government, India needs to update its cyber security policy.
Aman Thakker is an Analyst with Protagonist (formerly Monitor 360) and a graduate of the George Washington University’s Elliott School of International Affairs. He writes about Indian foreign and domestic policy.