A policy or a law has no utility unless it is implemented. Thanks to the sluggish execution, the national cyber security policy (NCSP), aimed at building a secure and resilient cyber space to ensure economic stability and strengthen national security, has been reduced to a mere 10-page government document. Unveiled on July 2, 2013 by the UPA government, the plan to strengthen cyber security continues to remain on paper.

The policy was influenced by global developments. For example, the US and Israel deployed cyber weapons (read high-grade malware), destroying approximately 1,000 centrifuges at an Iranian nuclear plant in 2010. It later became a digital pandemic infecting thousands of computers in India and other countries. Two years later, a cyber intrusion at Aramco, Saudi Arabia’s state-run oil corporation, led to a complete loss of data from 35,000 computers.

The emergence of cyber weapons posed a threat to India’s own critical information infrastructure, including telecom, aviation, banking and finance, defence and power, which entirely run on networked computers. India, unlike developed countries, didn’t have the wherewithal to deal with the cyber challenge.

As a result, policy formulation was the first step towards dealing with the cyber threat. The policy aims “to protect information and information infrastructure, build capabilities to prevent and respond to cyber threats, and reduce vulnerabilities through a combination of institutional structures, people, process, technology and cooperation”.

Compared globally, it is a comprehensive policy document on cyber security, said Rahul Sharma, senior consultant, Data Security Council of India (DSCI), a Nasscom body on cyber security. The government laid out 14 broad objectives and strategies in the policy. It didn’t, however, spell out the action points and work distribution among various agencies. 

Here’s a list of policy directives and areas, which still remain unaddressed.

1. One of the first directives of the cyber security policy is to create a secure cyber ecosystem. To realise this goal the policy provided for setting up a national body, which would coordinate the implementation of NCSP across the country. The government did appoint a national cyber security coordinator (NCSC) – Gulshan Rai, former head of Indian computer emergency response team (ICERT), in March 2015. The cyber security coordinator is part of the national security council secretariat (NSCS), which reports directly to the prime minister’s office (PMO).

According to an official, Rai has a team of only four people. “The team comprises consultants who come from defence background,” he said. His office has a limited budget, disproportional to the nature of his job and responsibilities, the official added. Besides Rai’s team, a joint secretary-level official belonging to administrative services oversees cyber security matters at the NSCS.

2. The policy proposed to create “national level systems, processes, structures and mechanisms to generate necessary situational scenario… and enable timely information sharing for proactive, preventive and protective actions”.

A plan to set up the ‘national threat intelligence centre’ was initially proposed by a joint working group (JWG) headed by deputy national security advisor (deputy NSA) Latha Reddy in 2012. According to Kamlesh Bajaj, former CEO, DSCI, who was a part of the JWG, the idea was to set up a control centre, which would have access to the traffic of all critical information infrastructure facilities. In case of an attack on any facility, the centre would ascertain its origin, the ‘attack vector’ and the nature of malware, Bajaj said. 

Later, the government named it National Cyber Coordination Centre (NCCC), which would have participation from different stakeholders: intelligence bureau, research and analysis wing, military intelligence, three military services, central bureau of investigation, and national technical research organisation. It has been decided to host the co-ordination centre under DeitY-ICERT.

In 2015, the cabinet approved over Rs 800 crore to set up the centre. At present, the project is at a nascent stage. Considering the complex nature of the project, the government adopted a phased approach to set up NCCC, Aruna Sharma told Governance Now earlier this year when she was DeitY secretary (She is now secretary, ministry of steel). “In the first phase, a secure data collection framework is being set up. Correlation, analysis and detection of security threats will be carried out on the collected data to generate situational awareness,” she said. Further, tests and proof of concept (PoC) of commercially available technologies will be conducted to identify and develop security analytics. Based on the initial experience, the setup will be scaled up in the second phase. “With the availability of funds and skilled manpower, second phase will be completed by August 2017,” she said.

3. The policy provided for setting up of information sharing and analysis centres (ISAC) and computer emergency response teams (CERT) for every critical sector. But so far only banking institutions have constituted an ISAC in Hyderabad under the Institute for Development and Research in Banking Technology (IDRBT). 

The Indian Banks – Centre for Analysis of Risks and Threats (IB-CART) convenes a CISO (chief information security officer) forum every quarter wherein security officials from all banks come together to update each other about the nature of threats they have to deal with. The centre also maintains a portal where banks report about cyber incidents on a daily basis.

“At least 20 incidents are reported per day on the portal,” said an official working with a major government-run bank. These reports, however, are about the usual malware and phishing attacks. Even after confidentiality is ensured by the IDRBT and RBI, the banks are reluctant to share serious cyber security breach, fearing loss of reputation.

A cyber hack, for example, early this year in which three banks (and one pharmaceutical company) were targeted wasn’t reported to IB-CART.
Apparently, hackers sent an email to the IT admin team of banks imitating as one coming from the top management. As soon employees opened their emails and downloaded the attachment carrying the malware, the files stored on the computer were encrypted and locked. Soon the malware spread to other computers and locked their data too.

Over the email, the hackers demanded one bitcoin to unlock/decrypt one PC. One bitcoin is estimated to be worth Rs 35,000. It was a ‘ransomware’ attack – where the victim pays money to get back its data, lest all data in the computer is wiped out. Two officials aware of the incident told Governance Now that money was indeed paid to the hackers to secure the encrypted data.

“Apart from banking no other sector has set up an ISAC,” said an official at the DSCI. In telecom, it is still under process, the official added. The idea of sectoral computer emergency response teams also remains on paper.

4. The policy required public and private organisations to appoint a chief information security officer (CISO). “But in some banks the monitoring role performed by a CISO still rests with the IT department, which rolls out and maintains the infrastructure,” the official with the PSU bank said. There is no way to ascertain if critical facilities have appointed CISOs and allocated a fixed budget on cyber security.

5. To ensure compliance and cope with emerging technologies such as cloud computing, encrypted services (like WhatsApp) and social media, an amendment to the Information Technology Act has been overdue.

A strengthened legal framework, the policy states, would “mandate periodic audit and evaluation of the adequacy and effectiveness of security of information infrastructure as may be appropriate, with respect to regulatory framework.” Although the amendment has been on the government’s agenda for over three to four years, it has not materialised yet.

6. Similarly, a framework on cyber security or a cyber security architecture detailing in-depth defence strategy and a clear demarcation of roles and responsibilities in case of a cyber-attack is yet to see the light of the day.

7. The policy also talked about improving cyber forensics capabilities. India doesn’t have high quality forensic labs, said Bajaj. Also the Hyderabad-based central forensic lab, which has some expertise in cyber forensics, is highly understaffed. “Whenever agencies approach the lab, it takes a few months to a couple of years to get the report,” said Bajaj. In the absence of quality government labs, the law enforcement agencies have to depend on the private labs.

8. One of the most significant directives of the policy was to create a skilled human resource of five lakh professionals. Since 2005, the DeitY has been running information security education and awareness (ISEA) programme. The programme intended to introduce cyber security in the curriculum of BTech and MTech students at the seven IITs, 12 national institutes of technology and IISc. The programme has completed two phases (of five years each). The outreach of the programme, however, has been limited. According to an estimate, roughly 10,000 to 15,000 students, would have studied cyber security under ISEA, said an official associated with the programme. 

According to cyber security experts, there are around one lakh cyber professionals in the country. “To add another four lakh, the government will provide informal, non-academic, three to six months job-oriented training on different aspects of cyber security,” said Bajaj. That’s how you will have an adequate number of professionals in the country.

The policy also talks about promoting a comprehensive national awareness programme on security of cyberspace. Owing to the support from the industry and DeitY, the DSCI ran eight labs to train policemen, judicial officials, defence personnel and intelligence officials. It provides one-week training to the officials at these labs. Since 2008, the council has trained approximately 40,000 officials, said Sharma. However, due to lack of funds the DeitY has withdrawn funding for four labs. At present, only labs at Bengaluru, Pune, Kolkata and Mumbai are functional. 

9. The effective implementation of NCSP requires political and bureaucratic will at the top. On multiple occasions prime minister Narendra Modi has publicly reiterated the importance of cyber security. In June, Modi and US president Barack Obama even agreed to finalise a ‘Framework for the US-India Cyber Relationship’. But these are mere statements so far.

In reality, experts believe, cyber security is still not a priority of the government. “His [PM Modi’s] national security advisor Ajit Doval is an operations guy. He has been mostly in the field. For him cyber security certainly is not a matter of grave concern,” said a senior police official and a cyber security expert. So was the case with Doval’s predecessor, Shivshankar Menon. Although he was a not field operative, he did not perceive cyber security as a crucial area, say experts.

In February, unidentified hackers performed one of the biggest bank robberies in history, infiltrating into the central bank of Bangladesh, siphoning off $81 million. The money was transferred to a bank in Philippines, but the money could not be traced.
Cyber threat is growing day by day, but India is yet to wake up to its reality. The NCSP 2013, in its last para, states: “This policy shall be operationalised by way of detailed guidelines and plans of action…” The wait for the guidelines and action plan continues.



pratap@governancenow.com

(The article appears in the August 16-31, 2016 issue of Governance Now)