National Cyber Security Policy 2013

The Government of India on 1 July 2013 launched the National Cyber Security Policy 2013 with an aim to protect information and build capabilities to prevent cyber attacks. The National Cyber Security Policy 2013 is to safeguard both physical and business assets of the country.

Earlier, the Government of India on 8 May 2013 approved the National Cyber Security Policy with an aim to create a secured computing environment across the country.

The salient features of the National Cyber Security Policy 2013

The Policy outlines the roadmap for creation of a framework for comprehensive, collaborative and collective responsibility to deal with cyber security issues of the country. The policy has ambitious plans for rapid social transformation and inclusive growth and India’s prominent role in the IT global market.

The policy lays out 14 objectives which include creation of a 5,00,000-strong professional, skilled workforce over the next five years through capacity building, skill development and training.

The policy plans to create national and sectoral level 24×7 mechanisms for obtaining strategic information regarding threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective, predictive, preventive, proactive response and recovery actions.

The policy will also establish a mechanism for sharing information as well as identifying and responding to cyber security incidents and for cooperation in restoration efforts.

The policy identifies eight different strategies for creating a secure cyber eco-system including the need for creating an assurance framework apart from encouraging open standards to facilitate inter-operability and data exchange amongst different products or services.

There is in place a plan to operate and strengthen the national Computer Emergency Response Team (CERT-In) to operate 24×7 and to act as a nodal agency for all efforts for cyber security, emergency response and crisis management, as an umbrella agency over CERTs.

It is expected that he policy will cater to the cyber security requirements of government and non-government entities at the national and international levels. The policy will help in safeguarding the critical infrastructure like Air Defence system, nuclear plants, banking system, power infrastructure, telecommunication system and many more to secure country’s economic stability.

National Nodal Agency

The National Cyber Security Policy, in order to create a secure cyber ecosystem, has planned to set-up a National Nodal Agency. The nodal agency will be coordinating all matters related to cyber security in the country.

The nodal agency has a wide mandate as it will cover and coordinate security for all strategic, military, government and business assets. This is distinctive, since, so far, national security regimes have been divided among the Ministry of Defence (for securing India’s borders) and the Ministry of Home Affairs (for national and internal security across States).

Public-private partnership to protect national assets

Another defining aspect of the policy is the level at which it envisages public-private partnership to protect national assets.

There is a clear recognition in the policy that, apart from India’s IT, technology and telecommunications services, large parts of financial & banking services, airline & transportation services, energy and healthcare assets are not only owned by the private sector but, in fact, remain vulnerable to cyber-attacks, both from state and non-state actors.

Protection centre

A crucial aspect of the policy is building resilience around the Critical Information Infrastructure (CII) by operationalising a 24×7 Nation Critical Information Infrastructure Protection Centre (NCIIPC). The Critical Information Infrastructure will comprise all interconnected and interdependent networks, across government and private sector.

The NCIIPC will mandate a security audit of CII apart from the certification of all security roles of chief security officers and others involved in operationalising the CII.

Operationalisation

The policy will be operationalised by way of guidelines and Plans of Action, notified at national, sectoral, and other levels. While there is a recognition of the importance of bilateral and multilateral relationships, the policy does not clearly identify India’s position vis-à-vis the Budapest Convention even though government delegations have attended meetings in London and Budapest on related issues in 2012.

Why does India need a cyber security policy?

Cyber security is critical for economic security and any failure to ensure cyber security will lead to economic destabilization.

India already has 800 million active mobile subscribers and 160 million other Internet users of which nearly half are on social media. India targets 600 million broadband connections and 100% teledensity by 2020. Internet traffic in India will grow nine-fold by 2015 topping out at 13.2 exabytes in 2015, up from 1.6 exabytes in 2010.

The ICT sector has grown at an annual compounded rate of 33% over the last decade and the contribution of IT and ITES industry to GDP increased from 5.2% in 2006-7 to 6.4% in 2010-11, according to an IDSA task force report of 2012.

Given the fact that a nation’s cyber ecosystem is constantly under attack from state and non-state actors both. It becomes extremely critical for India to come up a coherent cyber security policy.

One of the key objectives for the government is also to secure e-governance services where it is already implementing several nationwide plans including the “e-Bharat” project, a World Bank-funded project of Rs. 700 crore.