Another week and it seems it is time for another “cyber security policy” from a GoI body. This time it seems to be the National Security Council Secretariat (NCSC), which has reportedly
come up with a comprehensive cyber security policy for upgrading the security of systems and preventing them from being hacked, attacked with malware, or intruded upon by hostile entities.
Details are sketchy, which is not a surprise. Only Hindustan Times is reporting the story and what they say is
the plan has three components that demarcate task and authority. The existing Indian Computer Emergency Response Team (CERT-IN) will be tasked to handle the commercial aspects of cyber security, including 24×7 proactive responses to hackers, cyber-attacks, intrusions and restoration of affected systems.
The second aspect of the cyber plan is the creation of a technical-professional body that certifies the security of a network to ensure the overall health of government systems. While NSCS is advocating that initially the certification of networks could be done by private agencies, the long term plan is to create a technical body of professionals, all under 40, who will form the backbone of Indian cyber security.
The third aspect of the plan is cyber defence of critical infrastructure networks that are vulnerable to hostile foreign governments or proxy entities.
This seems eerily similar to the Ministry of Information’s “National Cyber Security Policy” Discussion Draft (pdf) that was issued around this time last year. We at Takshashila had responded (pdf) to that earlier invitation for comments and from the looks of it the issues raised then still plague this policy too.
(3) Orphan Policy. Cyber security cannot be considered in a silo. Cyber security – the business of safeguarding a country’s networking and technology infrastructure, and electronic information – is a subset of national security and a cyber security policy must be congruent to a national security policy. However, as India does not have a national security policy, the cyber security policy identiﬁed in the draft is effectively a “policy orphan.” As a result, signiﬁcant gaps could exist between this policy document and what different ministries, departments and agencies assume might be India’s national security goals and priorities. While we agree that this is not something that can be remedied at one go, the orphaned nature of the cyber security policy should be recognised and its implication studied and understood.