Reports this week have suggested a cyberattack in September on the Kudankulam nuclear power project in Tamil Nadu. This has been subsequently denied by govt officials, even as an audit confirmed that an ‘incident’ had indeed occurred, but not on the main operations of the plant. In such a context, GoI’s scheduled release of the National Cybersecurity Strategy 2020 in January-February next year becomes all the more important.
The Cybersecurity Policy of 2013 is open & technology neutral. But it needs upgradation. The digital economy today comprises 14-15% of India’s total economy, & is targeted to reach 20% by 2024. India has more than 120 recognised ‘data centres’ & clouds.
The average data consumption per person a year is in the range of 15-20 gigabits. The growth rate in data generation is more than 35%. With more inclusion of artificial intelligence (AI), machine learning (ML), data analytics, cloud computing & Internet of Things (IoT), cyberspace will become a complex domain, giving rise to issues of a techno-legal nature.
Sectors such as healthcare, retail trade, energy & media face advance persistent threats (APTs), as the latest reports of an Israeli spyware allegedly used to spy on Indian journalists & human rights activists attest. These incidents relating to data leakage, ransomware, ATM/credit cards denial of service, diversion of network traffic intrusion in IT systems & networks using malware are on rise.
Attacks on embedded systems & IoT have also registered a sharp increase of late. Such incidents are being launched from cyberspace of different international jurisdictions.
Countries have now started taking different approaches, which include tackling matters related to data sovereignty, data localisation, internet governance, handling fake news & international law. The change in military doctrines favouring the need to raise cyber commands reflects a shift in strategies, which include building deterrence in cyberspace.
The concept of ‘active cyber defence’ is generally being adopted to address the new challenges. Examples of this are EU’s General Data Protection Regulation (GDPR), Asia-Pacific Economic Cooperation’s (Apec) Cross-Border Privacy Rules (CBPR), & the US’ Clarifying Lawful Overseas Use of Data (CLOUD) Act.
The global multi-stakeholder model of internet governance is showing cracks. The United Nations (UN) Group of Governmental Experts (GGE) couldn't conclude its report in 2015. Such has been the geopolitical nature of cybercrime that in 2018, the United Nations (UN) set up two parallel groups — the aforementioned GGE & the Open-Ended Working Group (OEWG) — to tackle norms of behaviour in cyberspace.
In India, the private sector has started playing a significant role in operating critical information infrastructure, particularly in power, transportation & healthcare. It is now more necessary than ever before to take cognisance of new directions & shifts in policies across the world.
It will be necessary to undertake a thorough risk & gap assessment of the current cyber resilience of India’s various economic sectors, as well as that of the governance structure that enforces & manages the cybersecurity policy & framework. National cybersecurity projects such as the National Cyber Coordination Centre (NCCC), National Critical Information Infrastructure Protection Centre (NCIIPC) & the Computer Emergency Response Team (CERT) need to be strengthened manifold & reviewed.
Anational cybersecurity strategy outlines a country’s cybersecurity vision & sets out the priorities, principles & approaches to managing cybersecurity risks. It would be more appropriate to have 2 national documents. One, a concise ‘National Cybersecurity Strategy’ that sets clear, top-down directions to enhance the cyber resilience for the ecosystem that includes govt, public & private sectors, the citizenry, & also addresses international cyber issues.
2, a separate ‘Cybersecurity Policy’ based on principles laid down in ‘strategy’. It must be outcome-based, practical & globally relevant, as well as based on risk assessment & understanding of cyberthreats & vulnerabilities. The security framework must include the compulsory testing of cyber products, infrastructure skill capacity development, responsibilities of entities & individuals, & public-private partnerships.
An accountable national cybersecurity apparatus must be provided clear mandates & be empowered adequately. It must be able to supervise & enforce policies across India, including policies regulated by independent regulators.
Source Link
