National Cyber Security Policy Of India

The recent cyber attacks upon India have proved once again that we need to pay more attention to cyber security in India. Cyber security in India is required not only to protect sensitive information stored in the computers of strategic Indian departments and ministries but also to safeguard the present and future critical infrastructure of India.

Not only critical infrastructure protection in India is needed but also critical ICT infrastructure protection in India (CIIP in India) is need of the hour. CIIP in India is an area that requires urgent attention of our policy makers. We must formulate a critical ICT infrastructure protection policy of India as soon as possible.

Similarly, cyberspace crisis management plan of India is also required to be formulated. We must formulate a national ICT crisis management plan of India. Further, Indian crisis management plan against cyber attacks and cyber terrorism must also be formulated.

All these, and many more, aspects must be made a part of the cyber security policy of India. A national cyber security policy of India must be formulated in this regard that is made implementable after a reasonable period. Issues like cyber warfare, cyber terrorism, cyber espionage, international cyber security cooperation, etc must be part of the same.

We need a clear and implementable cyber security strategy of India. The cyber security policy and strategy of India must be techno legal in nature that can take care of both technical and legal aspects of cyber security.

There is no second opinion that national security policy of India is required and cyber security is an essential and indispensable part of the same. The sooner we formulate and adopt the same the better it would be for the larger interests of India.

Cyber Security Policy Of India

Cyber Security is an issue that tries to protect and preserve the Information Technology Infrastructure (ITI) of a Nation. Since Cyberspace is boundary less it is possible to attack the ITI of any Nation from any place.

We are still dealing with the Cyber Security issues in India. Although India has formulated the Cyber Security Strategy but it is more on the side of prescribed guidelines alone. The practical and actual implementation of the same is still missing.

Policies and Strategies issues are best implemented practically and effectively if they are made part of the National Policies. Till now we have not formulated a National Cyber Security Policy of India that is implantable at National level.

The Cyber Security Policy of India must cover areas like Cyber Laws, Cyber Crimes, Transnational Technological Crimes, Cyber Attacks, Cyber Warfare, Cyber Terrorism, Cyber Espionage, Human Rights Protection in Cyberspace, Critical Infrastructure Protection Plan, Critical ICT Infrastructure Protection, Crisis Management Plan, etc.

Till now there is no National Cyber Security Policy of India that covers these issues and is implementing the same. Our websites are frequently defaced, strategic computers are often compromised, sensitive defence documents are occasionally stolen and cyber espionage against India is frequently committed.

I also understand that it is not possible to have an absolute Cyber Security. The notion of having an absolute Cyber Security is a “Myth” as we cannot ensure absolute Cyber security anywhere. There are exploits and vulnerabilities, both hardware and software based, that cannot be anticipated and tackled in advance. In fact, “Zero Days Exploits” are the most difficult one to anticipate and handle. In these types of exploits all Cyber Security Measures proves ineffective and futile.

Further, human beings are usually the weakest link in the Cyber Security infrastructure and Social Engineering is the easiest way to break into a Computer System. Besides being easy, Social Engineering can be incredibly cheap. Social Engineering is the hardest form of attack to defend against because an individual or organisation cannot protect itself with hardware or software alone.

Both Government Departments and Private Companies must have good employee’s awareness activities and information dealing policies in place and the employees must strictly follow these policies. The employees must be willing to ask relevant questions while dealing with a request to provide sensitive information.

Indian Government must also focus upon Techno Legal Cyber Security Skill Development for its employees and departments. Suitable Techno Legal Cyber Security Courses must be made available to Government departments and employees. All these issues must be made part of the Cyber Security Policy of India that should be formulated and implemented as soon as possible.

Australia Plans Cyber Defence Strategy To Combat Hacking

Cyber Security Strategy is one of the most important Strategies of any Nation. This Strategy should not be mere words but an “Implementable Mechanism” that can ensure Robust Cyber Security. This Mechanism must also be supported by a Stringent and Strong Legal Framework in this regard.

In the Indian context, we have a poor Cyber Security in India. We have no implementable Cyber Security Strategy in India. We are still following “Achievements on Paper Theory” in India. We have no Cyber Warfare Policy in India and even Critical ICT Infrastructure Protection Policy of India is missing. Even the Cyber Law of India deserves to be repealed. These Policies do exist in “Form but not in Substance”. Hence for all practical purposes we can consider them as non existent.

Further, there is also no International Cyber Security Treaty as well. In fact, Developing Countries like US are against such International Treaty. This makes International Cooperation and Harmonisation next to impossible. The only viable option that remains is strengthening National Cyber Security and National Cyber Laws and Australia is doing exactly the same.

Australia will develop a Cyber Defence Strategy to combat Cracking and Cyber Espionage. Australian Government declared this after responding to what it sees as an increased threat after recent cyber attacks on global companies and government officials.

For instance, the news of attempt to steal the password of hundreds of Google email account holders, including those of senior U.S. government officials, Chinese activists and journalists is out. Google believes that Chinese hackers are behind this attempt once again. US is assessing whether security had been compromised by this attack.

Australia's Parliament came under cyber attack in February, with the computers of at least 10 federal ministers including Prime Minister Julia Gillard and Defence Minister Stephen Smith, targeted and confidential emails possibly accessed. Similarly, the European Parliament's computer networks were also breached by a cyber attack.

Critical ICT Infrastructure Protection Policy Of India

Critical ICT Infrastructure Protection in India is in news thanks to the India US Homeland Security Dialogue. India has to go a long way before it can effectively protect its Critical ICT Infrastructures from Cyber Attacks. India is also all alone in its initiatives irrespective of Bilateral Agreements as there is no “International Norms” in this regard.

Further, absence of Cyber Security in India and Cyber Security Policy and Strategy of India has further complicated the matter. Naturally Indian Cyberspace is Vulnerable to Cyber Attacks, Cyber Terrorism, Cyber Warfare and Cyber Espionage. Absence of Cyber Warfare Policy of India has further complicated this situation.

The least Indian Government can do in this regard is to formulate a Critical ICT Infrastructure Protection Policy for India. These days a majority of crucial functions of Private Companies and Government are essentially connected with the Computers and Computers Systems. If these Computers or Computer Systems are compromised, much damage can be done to the Country where such breach has occurred.

At Perry4Law and Perry4Law Techno Legal Base (PTLB) we are working in the direction of formulating a world class Critical ICT Infrastructure protection Policy of India. We are analysing the “International Best Practices” in this regard so that a “Composite Policy” can be formulated in this regard.

We have also opened a Techno Legal Cyber Security Research and Training Centre (CSRTCI) that is analysing Techno Legal aspects of Cyber Law, Cyber Security, Cyber Forensics, Cyber Warfare, Cyber Espionage, Critical ICT Infrastructure Protection (CIIP), etc.

Perry4Law and PTLB can enter into a Public Private Partnership (PPP) Agreements with National and International Organisations like United Nations (UN), North Atlantic Treaty Organisation (NATO), Indian Government, Foreign Governments, etc on a mutually beneficial basis.

We are also working in the direction of “Harmonisation” of International Standards and Norms in the field of Cyber Law, Cyber Crimes, Cyber Security, etc. Interested Individuals or Organisations may Contact Us in this regard.

Now it is for the Indian Government to take the call and start working upon crucial Policies issues pertaining to Cyber Crimes, Cyber Security and Critical ICT Infrastructure Protection.

Cyber Security In India

Cyber security in India is not upto the mark and is an ignored world. Further, India has no cyber security policy and strategy that can be implemented under any legal framework. Merely mentioning that India has formulated a cyber security strategy or policy is not enough till it has a force of law.

One area that India has not touched at all pertains to enactment of cyber security laws. Till now we have no cyber security laws in India. Of course, one or two vague provisions have been incorporated in the information technology act, 2000 (IT Act 2000) of India that happens to be the sole cyber law of India.

Even the cyber law of India is weak and ineffective in tackling the fast growing cyber crimes in India. Many of the provisions contained in the IT Act 2000 have crossed the limits of constitutionality. This has made a dominant part of Indian cyber law unconstitutional. In fact, so bad is the position that a need to repeal the cyber law of India has been felt these days.

So we have neither a policy/strategy for cyber security nor legal framework for its implementation. All we have are uncodified and non implementable words that have no significance and legal value.

India has faced many cyber attacks in the past. Many of them were not detected for a very long period of time. Indian websites are regularly defaced by cyber miscreants. Cases of cyber espionage are rampant in India. Sensitive and strategic defence forces and ministries computer systems are frequently breached and sensitive data is occasionally stolen.

Perry4Law and Perry4Law Techno Legal Base (PTLB) firmly believe that it is high time for India to formulate effective cyber security policies/strategies and cyber security laws in India. Further the cyber law of India must also be repealed and a strong and robust law must be enacted that is also constitutionally and legally sound.

Cyber Security Policy And Strategy Of India

Cyber security of India is an aspect that deserves attention at the national level. It must be reflected in the national policies and strategies of India. For the time being we have no enforceable national cyber security policy of India or national cyber security strategy of India.

This is a serious lacuna that is not conducive for the national security of India in general and cyber security of India in particular. We have no cyber security laws in India and even our cyber law is not strong enough. On the contrary the cyber law of India is encouraging growth of cyber crimes in India by making almost all the cyber crimes bailable.

By making the offences and cyber crimes “bailable” India has made its cyberspace a “free zone” and “safe heaven” for cyber criminals and cyber offenders. It seems the problems of Indian cyber security are multi facet in nature. We do not have sufficient laws, we lack proper strategies and policies, and we do not care much about cyber security.

India has been a victim of cyber espionage on many occasions where crackers operating in foreign jurisdictions regularly attack Indian computers and have successfully taken out sensitive information. International community is stressing upon enhancement of their cyber security capabilities unlike India.

It is high time for India to consider cyber security seriously. Cyber security is not a one day process that can be implemented all of a sudden. It requires years of planning and continued efforts to have a robust cyber security. The sooner it is adopted by India the better it would be for the national interest of India.