On 2 July, 2013, the Ministry of Communication and Information Technology’s Department of Electronics and Information Technology issued a notification introducing the National Cyber Security Policy (the “Policy”). This was a shift in practice, since, till now, matters of national security have been dealt with by the Ministry of Defence and the Ministry of Home Affairs exclusively.
Cyber security has two principle facets to it. The first being protection of the cyberspace at large, this is aimed at preventing attacks on the national cyber space, which includes preventing the hacking of critical government and private websites. The other facet of cyber security is that of data protection and privacy, which deals with protection and standards of maintenance of data belonging to individuals collected by any entity.
The aspects introduced or addressed by the Policy are as follows:
- Institutional Framework
- Open Standards
- Organisational Protections
- Data Protection
Under the Policy, the 24×7 Computer Emergency Response Team (“CERT”) is to function as a nodal agency to coordinate all efforts of cyber security emergency response and crisis management. The Policy also speaks of the creation of an umbrella organisation to operate sectorial CERTs.
Further, the Policy proposes the creation of the National Critical Information Infrastructure Protection Centre (“NCIIPC”). The NCIIPC’s objective is to mandate security practices related to design, acquisition, development, use and operation of information resources and to deal with emergency responses to cyber threats. The NCIIPC is to be a 24×7 organisation to deal with critical information infrastructure protection in the country. The NCIIPC is also to conduct audits of the critical information infrastructure.
The NCIIPC is to train five hundred thousand personnel skilled in cyber security, over the course of the next five years through capacity building, skill development and training, to enable the effective prevention and prosecution of cyber-crime. In this mission the NCIIPC will combine with various privately owned organisations and institutions to achieve the stated goal. The concept of effective public-private partnerships is a central theme of the entire Policy and has been envisaged to be critical to achieve the goals of the Policy.
The Policy seeks to promote the adoption of the best practices and provide for conformity and compliance assessment, and also to enable the implementation of the best practices in formal risk assessment and risk management.
The best practices to be adopted are meant for both private and public organisations. Such implementation becomes possible as the Policy aims at creating a system of cyber security in both private and public organisations, requiring them to designate a senior member as the Chief Information Security Officer. The Chief Information Security Officer in each organisation will be responsible for monitoring and ensuring the implementation of the best practices.
The Policy encourages the use of open standards for both private and government Information Communication Technology (“ICT”). Open standards are the foundation specifications for the standards of interoperability and data and document formats for the state Information Technology (“IT”) infrastructure (“Open Standards”). The objective of open standards is so as to ensure that upgrade or alteration of government IT infrastructure can be done seamlessly without having to depend on the same developer. The Policy also aims at the promotion of a consortium of Government and private sector to enhance the availability of tested and certified IT products based on Open Standards.
Open standards were first adopted in the United Kingdom. The Open Standards in the United Kingdom are not solely meant for transition in the process of upgrades or alteration. It is also meant to ensure that they are of a standard that is usable by the government officials the infrastructure is meant for, and meet their user needs.
The cyber security aspect covered by Open Standards is corrective in nature. The implementation of Open Standards ensures ease in rectification of damage caused by a cyber-attack, due to the similarity in the source code of any software.
The Policy sets out to secure e-governance by encouraging the use of the Public Key Infrastructure for internal communication and transactions. This works on the basis of encryption and decryption. If a person must access a certain document, which is encrypted by the private key of the author, the person desiring to access such data must have a public key, which matches the private key so as to access the data. With regards to ICT, the policy speaks of the adoption of guidelines for the procurement of indigenously developed ICT products.
The Policy also deals with the involvement of private vendors to maintain and improve the end-to-end data supply chain and to better the standards of security. The model it prescribes is of Public Private Partnerships (“PPPs”) for training personnel for cyber security, and seeks the development of effective PPP models.
The Policy does not adequately deal with data protection. The existing data protection framework in India remains the provisions of the Information Technology Act, 2000. The Information Technology Act does not deal with all aspects of data protection and only deals with offences relating to invasion of privacy and breach of confidentiality. The Information Technology Act, 2000 does not lay down any standards to be maintained while transferring data.
The Policy as stated above establishes a clear framework for protection of data belonging to the Government and businesses, however does not deal with protections for personal data of individual citizens.
The Policy has borrowed heavily from other existing policies and frameworks like those of the UK, the USA and the European Union cyber security policies and legislations. The institutional framework is similar to that of the European Union, while implementation of open standards is certainly inspired from the policy of the UK. The overall cyber-security regime and the organisational structure is similar to that of the United States of America, particularly with respect to the portions of the Policy dealing with PPPs.
A criticism of the Policy is that, it does not have as comprehensive a scope as the other policies. While all the other entities have incorporated standards for data protection, the Policy does not sufficiently deal with data protection. Data protection is an important facet as this deals with the privacy rights of an individual, which is an important right in the cyberspace, especially in the light of the rise of e-commerce. The UK for instance has legislation in place to deal with data protection. Further it is pertinent to note that under the European Union’s principles of data protection, in case of export of the data outside the European Free Trade Area the recipient must comply with the European Union’s data protection principles.
With regards to policy making, the agency created by the European Union has the powers to make recommendations as to policy and legislation with regards to cyber security. The European Union further goes on to permit private entities with relevant expertise to make recommendations to the agency established under the policy or to the European Union itself so as to formulate effective methods for the protection of the European cyberspace. The agency is also allowed to make regulations to ensure the effective use of the cyberspace.
Cyber security in the United States is a defence mandate that has evolved from the time of the conception of the ARPANET, which by itself was a defence initiative. The US has had organisations such as the National Security Council (“NSC”) with wings to deal with cyber security from the time of the rise of the Internet. The United States policy in the recent years has been the expansion of their existing framework. The United States Army Cyber Command undertakes the defence of the US Army’s cyber networks, in addition to the 9th Signal Command that maintains and defends the network enterprises.
The current criticism and scepticism of civil society towards the policy is from a perspective of privacy of the general public. In the light of the leaks about the activities of the NSC in the United States in the recent times, the general fear is of a future invasion of privacy by the organisations established by the Policy.
Moreover, the Policy as stated above is certainly not as detailed as comparable policies of developed economies with similarly sensitive cyber-security concerns.
Despite the Policy lacking a framework for personal data protection, the policy is a step in the right direction. The Policy establishes a foundation for cyber security which over time can be as comprehensive as its foreign counterparts and can be effective in maintaining security in the cyberspace.
Pingal Khan [firstname.lastname@example.org]
 Supra, Note 2
 Chapter IV, DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL