Centre planning separate cybersecurity policy
- The policy will be the first of its kind, even as provisions for cybersecurity exist under the information technology law and certain financial regulations mandated by the Reserve Bank of India.
The National Security Council Secretariat, which works with the National Security Advisor in an advisory role to the Prime Minister on national security matters, is considering a stand-alone law for cybersecurity in India, and is working on a strategy document that will consider both the domestic and international implications of such a policy, people familiar with the matter said.
The policy will be the first of its kind, even as provisions for cybersecurity exist under the information technology law and certain financial regulations mandated by the Reserve Bank of India. But India does not have a stand-alone law in the domain.
The policy is being worked out by National Cyber Security Coordinator Lt Gen (retd) Rajesh Pant in the secretariat. “It is one of the deliverables of proposed National Cyber Security Strategy, and is required to cater for new age cyber crimes,” Pant said.
The policy may have three broad pillars, the people added: national security, enabling businesses and individual security.
“There is a need for cybersecurity to be a stand-alone law,” one of people cited above said on condition of anonymity. “It will be a policy document that will elevate the current position of the country to a whole new level, with a special focus on emerging technologies.”
The secretariat has notified a list of trusted telecom vendors. The new policy is also likely to focus on critical infrastructure. “It will evaluate domestic as well as international needs,” the first person said. “It is likely to address India’s position on artificial intelligence, data sharing and data localisation.”
India’s position on data sharing is currently covered by the personal data protection bill, which is awaiting a report by the joint parliamentary committee. It states that personal data, or critical data, has to be stored within the country, and cannot be shared with others without the explicit approval of the data fiduciary, which can be overridden by the government.
“The policy is being worked on after a careful look at how other countries are approaching cybersecurity, including the US and the UK,” the first person said. “While in the US, the approach is more about economic empowerment, India needs to find a neutral ground between financial and national security considerations.”
The law may also have enabling conditions for blockchain and cryptocurrency.
Internet Freedom Foundation trustee Apar Gupta said: “The legislations under the IT Act are more principally inclined towards the creation of Cert-In. There is no legislative concept of technical control and oversight yet, but there are specific laws with respect to payments and settlements.” Cert-In is short for Indian Computer Emergency Response Team.