New cyber security policy aims for safe, resilient to boost economic progress

Authorities are putting the finishing touches to the Cyber Security Policy, 2020, which will have a provision for a centralised repository for detecting, reporting and analysing malware in India, and for devising countermeasures, according to officials aware of the matter.

The policy seeks to create “safe, secure, trusted, resilient and vibrant” cyberspace for India’s “economic progress,” one of the officials cited above said on condition of anonymity. “Reliance on the internet has increased and [also] threats have emerged,” the official said. The official added that the new policy will focus on issues such as mandatory courses in schools and colleges on “cyber hygiene”, which relate to online security, and indigenization, especially of anti-virus programmes.

“Anti-virus programmes pick up data from systems, which are subsequently deposited in servers abroad,” said a second official on condition of anonymity.

Malware, or malicious software, can be used for stealing, encrypting or deleting sensitive data as well as for hijacking computing functions. The Nuclear Power Corporation of India Ltd, which runs nuclear reactors across the country, in October said it had identified malware in one of its computers in September but its systems were unaffected.

Facebook-owned messaging platform WhatsApp in October sued Israeli surveillance firm NSO Group, accusing it of helping clients break into the phones of roughly 1,400 users including in India through a malware. The targets of the hacking included dissidents and journalists.

The officials cited above said the new policy will be circulated among ministries before it is placed before the Union cabinet for its clearance. The new policy is likely to come up before the Cabinet in a couple of weeks.

A cyber security policy adopted earlier in 2013 was aimed at creating safe and secure cyberspace.

The officials said the new policy will concentrate on interagency and interministerial coordination to improve the cybersecurity infrastructure. The Union home ministry will be the nodal agency in dealing with cybercrime and issues such as cyber forensics, innovation, and research. The electronics and information technology ministry will continue to be responsible for the responses to threats and mitigation.

Unlike the previous policy, the new one will lay special stress on cybersecurity awareness among young adults, the officials said. The Union human resources development ministry will be roped in to design and run mandatory courses in schools and colleges on “cyber hygiene”. “Cyber hygiene is critical in an increasingly connected world and [good cyber] habits will have to be developed from a very young age. Cyber education will have to be built into curriculums of schools and high schools,” the second official said on condition of anonymity.

The external affairs ministry will be in charge of cyber diplomacy, which involves evolving a rule-based system and governance of the worldwide web among other issues.

The new policy is likely to be similar to the ones in Singapore, the UK, and Australia, and will make the Prime Minister of India the final authority on all issues concerning the cyber world. The National Security Advisor (NSA) would assist the Prime Minister, the officials cited above said. India’s Cyber Security Coordinator reports to the NSA. The coordinator will be empowered further and will be responsible for coordinating with different agencies like those engaged in detecting and eliminating threats, those involved in cyber governance etc, and prioritising issues.

“It is a good idea to have an indigenous malware analysis system and threat repository in India. This will reduce the dependency on free sites mostly run by foreign entities for intelligence collection. An Indian malware vault would give a first hand and timely intelligence and warnings to the Indian stakeholders,” said Jiten Jain of the Voyager Infosec System.