National Cyber Security Policy: A Shield from Cyber Threats

In the twenty-first century, our lives have become technocratic and digital in all aspects. We have progressed from a time when computers were solely used for official tasks to a time when a single click on our phones can enable us to speak with individuals on the other side of the world; view movies and television shows; obtain education from colleges around the world, and research nearly anything. We are "practically living in a virtual real estate" called "cyberspace." However, as technology becomes more integrated into our daily lives, cyber risks are on the rise, ranging from online stalking and fraud to cyber espionage and warfare. To combat any threat, a defence strategy/policy is required; similarly, to combat cyber threats, a cyber-security policy is required.

This article focuses on the issues we confront in cyberspace, and it discusses four primary kinds of cyber threats: cybercrime, cyber terrorism, cyber espionage, and cyber warfare. Following an overview of the primary cyber dangers, this article will address how cyber security policy may protect us from them and why it should be a national policy priority.

Introduction to Cyber Security

The phrase ‘Cyber Security’ comprises of 2 terms i.e., ‘Cyber’ and ‘Security’. Living in the era of technology, we are surrounded by machines and devices everywhere. Technology has become an integral part of human life to such an extent that it has created its multidimensional place within the world. In other words, this means that human beings now not only belong to geographical, political, social, or economic space, but they are very much a part of the ‘cyberspace’ as well.

‘Security’ generally refers to the presence of peace, safety, protection of human and physical resources, or absence of crisis and threat to human dignity. Thus, ‘Cyber Security’ refers to the ‘ability to control access to networked systems and information they contain’.

We generally need ‘security’ to protect ourselves from some sort of attack, crime, terrorism, or warfare. Similarly, the purpose of cyber security is to protect us from various ‘Cyber Threats’.

Cyber Threats: Cyber Crimes, Cyber Terrorism, Cyber Espionage, and Cyber Warfare

‘Cyber Threats’ is a very broad term that encompasses within it the following categories: -

·       Cyber Crimes

"Any unlawful conduct where a computer/communication device/computer network is utilized to perpetrate or enable the commission of a crime," is known as cyber-crime. Cybercrime can jeopardize a person's, company's, or country's security and financial well-being. Some cybercriminals are organized, use advanced techniques, and are highly technically skilled while others are novice hackers.

Different types of Cyber-crimes include the following: -

a)         E-mail and Internet fraud

b)         Identity Fraud (where personal information is stolen and used)

c)         Theft of financial or card payment data

d)         Theft and scale of corporate data

e)         Cyber Extortion (demanding money to prevent a threatened attack)

f)         Ransom-ware Attacks

g)         Crypto-jacking (where hackers mine crypto-currency using resources they do not own)

India was ranked among the Top 5 countries to be suffering from Cyber Crime, according to a 22 October report by online security firm “Symantec Corp”. India also secures a top spot amongst the Top 10 spam-sending countries alongside the USA.

·       Cyber Terrorism

Cyber Terrorism refers to the “use of information technology by terrorist groups and individuals to further their agenda. This can involve using information technology to plan and carry out attacks on networks, computer systems, and telecommunications infrastructures, as well as exchanging data and issuing threats electronically" (National Conference of State Legislatures, USA). Although "crime" and "terrorism" are comparable in some ways, there is a fine line that separates them. Basically, ‘crime’ is ‘personal’ while ‘terrorism’ is ‘political’ Crimes are committed for individual, personal reasons, the foremost important of which are personal gain and the desire to harm others psychologically and/or physically. Terrorism often leads to the infliction of “harms” indistinguishable from those caused by crime but the “harms” are inflicted for different reasons.

·       Cyber Espionage/Spying

 ‘Cyber espionage’ or ‘Cyber spying’, can be generally defined as the ‘act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using networks or individual computers through the use of proxy servers, cracking techniques and malicious software.

Cyber Espionage has been taking place almost since the dawn of the web, with Russia, China, Iran, and North Korea generally seen as the countries most likely to be engaging in Cyber-espionage campaigns against western targets.

•        Cyber Warfare

Cyberwarfare refers to the use of technology to attack a nation and cause similar destruction to traditional combat. The conduct of military operations using virtual means is known as cyber warfare. It consists of nation-states employing cyberspace to achieve the same broad goals that they do with conventional military force, namely, to gain certain advantages over a competing nation-state or prevent a competing nation-state from gaining advantages over them. With the recent ramp-up of Cyber-crimes, Cyber terrorism, Cyber Espionage, and Warfare, how can nation-states head off digital conflicts and protect themselves?

Cyber Security: A National Policy Priority

Cyber-attacks are not going away any soon. However, along with this, there is arising threat of state-sponsored cyber-attacks. Today 20+ countries are aggressively building cyber-attack organizations with the most sophisticated attack technology. In such a situation, the nation-states are trying to protect themselves through various means yet it is not sufficient to deal with cyber-threats by ad-hoc application of tools and procedures as and when problems arise. A nation-state needs to be proactive and be ready, organized with a set of controls, trained personnel, and a written and well-executed Cyber Security Policy.

National Cyber Security Policy of India (2013) 

To scrutinize and protect information and strengthen defences from cyber-attacks, the National Cyber Security Policy was released on 2nd July 2013 by the Government of India. The vision of this policy is “to ensure a secure and resilient cyberspace for citizens, businesses, and the government.” With rapid information flow and transactions occurring via cyberspace, a national policy was much needed. The document highlights the importance of Information Technology (IT) in driving the economic growth and development of the country. It endorses the very fact that IT has played a significant role in transforming India’s image to that of a worldwide player in providing IT solutions of the finest standards. It aims the protection of information infrastructure in cyberspace, reduces vulnerabilities, builds capabilities to prevent and respond to cyber threats and minimize damage from cyber incidents through a combination of institutional structures, people, process, technology, and cooperation.

Key Highlights/Strategies of the Policy

Some of the strategies chalked out within the policy to fulfil its objectives include:The policy aims at creating a national-level nodal agency that will coordinate all matters related to cyber security in the country.

• The policy will make sure that all organizations earmark a specific budget to implement their security policies and initiatives.

• To create an assurance framework, the policy will create conformity assessment and certification of compliance to cyber security best practices, standards, and guidelines.

• A legal framework will be created to deal with cyber security challenges arising out of technological developments in cyberspace.

• The policy also plans to enforce a periodic audit and evaluation of the adequacy and effectiveness of security of data infrastructure in India.

• The policy will create mechanisms to obtain early warnings in case of security threats, vulnerability management, and response to the security threats thereof.

• A 24x7 operational national-level computer emergency response team (CERT-in) will function as an umbrella organization that will handle all communication and coordination to deal with cyber crises.

• To secure e-governance services, the policy will take various steps like encouraging wider usage of Public Key Infrastructure (PKI) standards in communications and engagement of expert cyber security professionals /organizations to participate in e-governance.

• The policy will encourage and mandate the use of tested, validated, and authorized IT products in all sensitive security areas.

 The release of the National Cyber Security Policy 2013 is a crucial step toward securing the cyberspace of our country. However, a policy that only remains good on paper and isn’t well-executed or implemented does not help the country in any way. The National Cyber Security Policy of 2013 has certain loopholes within its strategies, and its weak implementation just provides one among the various other reasons for its failure. The policy is drafted in broad terms, and it still needs plenty of work to be done. Let’s have a glance at the major areas where this policy has failed.

National Cyber Security Policy: A Policy on ‘Paper’

While we may commend the government for developing a cyber-security strategy with certain substantial aims and methods, we can also clearly identify several inherent issues with the policy's mechanism. These are some of them:

• The policy is nothing more than a collection of policy declarations and high goals with no corresponding implementation plan. It appears to be 'incomplete' since it lacks a 'national cyber action plan.'

• Another area where this approach falls short is dealing with the risks posed by criminals and anti-national groups increasing their use of social networking sites by criminals and anti-national elements.

• The Policy does not contain parameters for effective implementation. The policy also doesn’t mention the Information Technology Act of 2000 which is critical in the event of a conflict.

• Further, deficiencies can be found within the policy as it does not elaborate on the parameters of privacy in the context of cyber security. Cyber Security, Privacy, and Civil liberties constitute the 3 major components of the triangle that is integral to the current issue.

• The policy does not specify how the data will be collected, processed, and used. It has no checks and balances to ensure that activities meant for safeguarding online information are not abused.

• The policy does not incorporate cyber-crime tracking, Cyber forensic capacity building, and the creation of a platform for sharing and analysis of information between public and private sectors, which are the most crucial elements for securing cyber-space.

Formulating a policy on Cyber security is a commendable first step for India, yet there are a lot of loopholes and issues that need to be addressed within this policy as it fails to match several parameters. The key to the success of any policy lies in its effective implementation. So, what India needs at the moment is a robust and well-executed Cyber Security Policy rather than a policy that is faulty even on paper.

Conclusion: A ‘Robust’ Cyber Security Policy: Need of Today and Necessity for Tomorrow

Having had so many flaws within the existing National Cyber Policy (2013), India aims to come up with a new ‘robust’ cyber policy. The announcement by the Prime Minister on 15th August 2020 (Independence Day) that India will soon have a new and stronger cyber policy is a major step towards creating a powerful cyber defence for India. A new Cyber policy is very essential for the country as our country’s dependence on cyberspace has increased at a great pace.

As India is moving towards the world of digitization, robust cyber security has become the ‘need’ of the hour. The new cyber security policy is expected to fill current gaps and provide a stronger framework to handle issues related to cyber security. The policy will focus on major governance reforms to handle cyber security issues at the national level. The National Cyber Security Coordinator (NCSC) and other agencies have made extraordinary efforts to handle such issues. Currently, RBI, SEBI, IRDAI, TRAI, etc. have different cyber security frameworks for their regulated entities. However, none of the frameworks talks about an integrated approach to handling cybercrime. Thus, the policy also needs to address a unified cyber security framework across various organizations within the country.

The testing times of COVID-19 have somehow brought us to a point where we can’t help but rely on digitization and cyberspace for all our day-to-day activities –from working from home to buying groceries online to attending online classes- everything is taking place in the cyber world. We have taken a long jump to this digital world and if we want to sustain ourselves within this “space” then we need to have a National Cyber Policy that acts as both weapon and shield against all sorts of cyber threats.

0 comments

Leave a comment