Day 93 – Q 5.Critically evaluate the institutional framework established to thwart cyber security threats in India.

5. Critically evaluate the institutional framework established to thwart cyber security threats in India. 

भारत में साइबर सुरक्षा खतरों को विफल करने के लिए स्थापित संस्थागत ढांचे का समालोचनात्मक मूल्यांकन करें।

Introduction:

The digital economy today comprises 14-15% of India’s total economy, and is targeted to reach 20% by 2024. India has more than 120 recognised ‘data centres’ and clouds. These factors clearly necessitate a robust institutional framework to thwart cyber security threats and secure the national cyber space.

Body

• With more inclusion of artificial intelligence (AI), machine learning (ML), data analytics, cloud computing and Internet of Things (IoT), cyberspace will become a complex domain, giving rise to issues of a techno-legal nature. Sectors such as healthcare, retail trade, energy and media face advanced persistent threats (APTs). 
• Further, incidents relating to data leakage, ransomware, ATM/credit cards denial of service, diversion of network traffic intrusion in IT systems and networks using malware are also on rise. Attacks on embedded systems and IoT have also registered a sharp increase of late.
• Currently, the Information Act, 2000 is the primary law for dealing with cybercrime and digital commerce in the country. The Act was first formulated in 2000, and then was revised in 2008 and came into force a year late. The Information Technology (Amendment) Bill, 2008 amended a number of sections that were related to digital data, electronic devices and cybercrimes.
• In this regard, the Government has taken several steps to prevent and mitigate cyber security incidents. These measures and their analysis include:
• Establishment of National Critical Information Infrastructure Protection Centre (NCIIPC) for protection of critical information infrastructure in the country. Inadequate cybersecurity professionals available to partner with NCIIPC to cover the whole sector is one of the major drawbacks.
• All organizations providing digital services have been mandated to report cyber security incidents to CERT-In expeditiously. More coherence is needed in CERT operations for greater effectivity.
• Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) has been launched for providing detection of malicious programmes and free tools to remove such programmes. The reach of this initiative has been an issue which needs to be tackled expeditiously.
• Issue of guidelines for Chief Information Security Officers (CISOs) regarding their key roles and responsibilities for securing applications / infrastructure and compliance.
• Provision for audit of the government websites and applications prior to their hosting, and thereafter at regular intervals. Such measures need to be regularised and institutionalised.
• Empanelment of security auditing organisations to support and audit implementation of Information Security Best Practices.
• Conducting cyber security mock drills and exercises regularly to enable assessment of cyber security posture and preparedness of organizations in Government and critical sectors.
• Conducting regular training programmes for network / system administrators and Chief Information Security Officers (CISOs) of Government and critical sector organisations regarding securing the IT infrastructure and mitigating cyber attacks.
• Further, the Government has launched the online cybercrime reporting portal, www.cybercrime.gov.in to enable complainants to report complaints pertaining to Child Pornography/Child Sexual Abuse Material, rape/gang rape imageries or sexually explicit content. 
• Also, The Central Government has rolled out a scheme for establishment of Indian Cyber Crime Coordination Centre (I4C) to handle issues related to cybercrime in the country in a comprehensive and coordinated manner.

The concept of ‘active cyber defence’ is generally being adopted to address the new challenges. Examples of this are EU’s General Data Protection Regulation (GDPR). The global multi-stakeholder model of internet governance is showing cracks. In this regard, following step can be considered in India-

• One, a concise ‘National Cybersecurity Strategy’ that sets clear, top-down directions to enhance the cyber resilience for the ecosystem that includes government, public and private sectors, the citizenry, and also addresses international cyber issues. 
• Two, a separate ‘Cybersecurity Policy’ based on principles laid down in ‘strategy’. It must be outcome-based, practical and globally relevant, as well as based on risk assessment and understanding of cyberthreats and vulnerabilities.

Conclusion

According to the National Cyber Security Coordinator, India is at number 23 of the UN Global Cybersecurity Index (GCI) 2017. Thus, an accountable national cybersecurity apparatus must provide clear mandates and be empowered adequately. It must be able to supervise and enforce policies across India, including policies regulated by independent regulators.