Our Submission to the National Cyber Security Strategy 2020

The National Security Council Secretariat had invited submissions/comments for the proposed National Cyber Security Strategy, 2020 recently. SFLC.in had submitted its comments which are published hereunder. The 2020 strategy is an attempt to revise and strengthen the National Cyber Security Policy 2013 and was based on the following vision to "ensure a safe, secure, trusted, resilient and vibrant cyber space for our Nation’s prosperity."

The Secretariat sought comments based on the following "Pillars of Strategy"
      a. Secure (The National Cyberspace)
      b. Strengthen (Structures, People, Processes, Capabilities)
      c. Synergise (Resources including Cooperation and Collaboration)

SFLC.in's submissions were as follows:

 

India ranks second among the top countries that were affected by targeted cyber attacks during the period 2016-2018 as per Symantec's Internet Security Threat Report 2019. At the same time, it is a matter of great concern that India’s rank fell from 23 (in 2017) to 47 (in 2018) in the Global Cybersecurity Index (GCI) 2018 published by the International Telecommunication Union. Five designated areas form the basis of the indicators for the GCI which are legal, technical, organisational, capacity building, and cooperation. Therefore, a ‘whole-of-nation’ strategy demands nothing but state-of-the-art infrastructure which includes hardware and software components that constitute the cyberspace within the regulative control of the State; strength of internal and external co-operation within and among agencies and entities involved in national cybersecurity; and a comprehensive legal and policy framework.

 

India faces the following challenges in formulating a robust, and futuristic cyber security strategy:

1. Low awareness among stakeholders

With the proliferation of digital devices in the Indian market and with the lowering of charges for Internet connectivity, people from economically lower backgrounds have been able to use smart devices and 4G connectivity. However, there is a need to raise awareness among these users to use the devices securely. This is sometimes also the case with educated and affluent consumers, who have low awareness in cyber/digital security. This calls for grassroot level awareness and training for consumers of digital devices and services. Similar is the case for government offices (whether Central or State) where best practices are not followed when it comes to secure use of digital devices and the Internet. When treading into grassroot levels, language is also a barrier in conveying concepts to consumers. So, any awareness or training programme must be delivered in vernacular languages.

2. Emerging Technologies

The 2013 National Cyber Security Policy lacked due concern to emerging technologies such as Blockchain, Internet of Things (IoT), 5G and most importantly, Artificial Intelligence. With IoT products slowly creeping into the market, India awaiting 5G connectivity, and artificial intelligence being relied on, there are greater challenges in securing the cyberspace. It is also alarming that with IoT standards easily available, these may be implemented by mid-level enterprises which do not give much care to security, or cannot implement strong safeguards because of lack of expertise or resources. The cyber security strategy must consider including highly secure technical standards for digital devices and services which employ emerging technologies.

3. Lack of Wider Public Private Partnerships

The 2013 Policy spoke of public-private partnership to facilitate collaboration and cooperation among stakeholder entities; however such partnerships should not be maintained only with private sector entities but also with academia, civil society and independent security researchers. This should lead to formulation of policy encouraging independent security researchers, white hat hackers and ‘bounty hunters’. Wider engagement with the community can also be increased by engagement with communities involved in free and open source software (“FOSS”). Moreover, the adoption of FOSS into the national cyber security framework will increase contribution from the community. Opening up the source code of abandoned projects/products by corporates needs to be encouraged to better understand legacy systems and products and their vulnerabilities.

4. Lack of Comprehensive Legal Framework

Perhaps the biggest challenge is the lack of a comprehensive sector neutral legal & regulatory framework in India pertaining to cyber security. The Data Protection Law is still in the draft stage. However, even the enactment of the Data protection law would not satisfy the need of a legislation specific to cyber security. The present Personal Data Protection Bill does mention reporting cyber incidents in the form of reporting data breaches. However, there are other issues pertaining to cyber incidents which needs addressing such as post incident investigation (forensics), evidence acquisition etc. which are nascent in terms of being regulated by law or policy. This also calls for revision of the existing rules under the Information Technology Act, 2000.

 

Recommendations

1. Steps should be initiated to roll out comprehensive cyber security awareness programmes for all stakeholders.

2. A comprehensive legal framework should be planned with a data protection law and cyber security specific legislations.

3. Partnerships should be planned with various stakeholders including private sector entities, academia, civil society and independent security researchers.

4. Government should adopt FOSS software and open standards so that the software used is auditable and verifiable.

5. Government should place special emphasis on protecting critical infrastructure.


Note: Minor edits, such as modifications to words and deletion of certain characters within the text were made at the time of submission to cater to the requirement of the Secretariat to keep the submission within 5000 characters. However, no substantial changes were made to the arguments and recommendations made.