A year on, cyber security strategy pending with government

The country’s cyber security strategy, which proposes a separate legislative framework for cyberspace and the creation of an apex body to address threats, responses and complaints, has been pending with the central government for over a year, people familiar with the matter said.

The strategy, conceptualized by the National Security Council Secretariat of India headed by Lt General Rajesh Pant, has been in the works for the past two years. Called National Cyber Security Strategy, 2021, the policy stresses on a need for a legislative framework to address the emerging challenges in the technology space.

“Look at Ukraine right now, there is a cyberwar underway there. Their power, their telephone networks, were affected,” a person familiar with the matter said, requesting anonymity. “Cybersecurity needs to be expanded to protect many verticals of critical infrastructure. In Australia they have included water, power and even education under the policy.”

Pant was unavailable for comment.

India needs to implement a strategy immediately, said NS Nappinai, lawyer and founder of Cybersaathi, a non-profit. “India needs its special cyber security law and dedicated authority expeditiously. This would be in keeping with global trends,” Nappinai said. “The existing legal and regulatory frameworks do not address the evolving threat scenarios or processes to combat the same.”

Currently, the response to cyber security threats can be taken under the information technology act and the Indian Penal Code. The Indian Computer Emergency Response team (CERT-In ) takes care of incident response and the National Critical Information Infrastructure Protection Centre (NCIIPC) was created in 2008 to look after critical infrastructure.

The policy will focus on both threat assessment and response. “There is no dedicated body to look after cyber security at present. There is no one that you can hold accountable,” said the person cited earlier.

The strategy aims to create a comprehensive system, with both state-owned and private companies having to comply with cybersecurity standards. It provides for a periodic cyber audit and recommends annual reviews by the apex body that will be created.

“The idea is that there should be a consolidation, integration, reorientation and realignment of existing mechanism to create the apex body,” the first person said.

In a first, top cyber security officials of Australia and India met at the Quad summit to discuss possible ways to adopt cyber safety measures. A centre of excellence, a collaborative venture, will also be set up in Bangalore to further innovations in the area.

Australia’s policy, which was rolled out in 2020, has expanded sectors covered under the policy from the earlier four to 11. Similarly, the UK has designated 13 sectors as critical infrastructure.

The outline of the policy, the people familiar with the matter said, will aim to designate cyber security as a strategic sector. “There will be an obligation upon all players to ensure cyber safety, this can only be done if Parliament passes a bill,” the first person said.