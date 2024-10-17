The Centre’s recent amendment to the (Allocation of Business) Rules, 1961, has addressed the ambiguity around which ministry is responsible for cybersecurity in India, National Cyber Security Coordination Lieutenant General MU Nair said on Wednesday, while highlighting the dearth of cybersecurity professionals in the country. NCSC: Ambiguity around cybersecurity resolved

Addressing the India Mobile Congress, Nair said: “Last time when I had spoken here, I had mentioned about the lack of clarity on responsibility of various ministries in the cybersecurity domain. This was one of the challenges which we faced. This has been addressed with cybersecurity now being included in the allocation of business rules of various ministries with designated responsibilities, coordination and strategic direction in this key domain of national security rests with the National Security Council Secretariat. I am sure this would be for better coordination and management of key objectives envisaged in the domain of cybersecurity.”

He was referring to the cabinet secretariat’s September 27 gazette notification that amended the allocation of business rules. As per the notification, the National Security Council Secretariat will provide “the overall coordination and strategic direction for Cyber Security”.

The NSCS is the secretariat of the National Security Council which is headed by the prime minister and is the highest decision-making body in the country for taking decisions on national security. The national cyber security coordinator (NCSC) is part of the NSCS. Nair is India’s third NCSC.

Nair also said that the scope of the National Security Directive on Telecommunication Sector (NSDTS) will be increased over the next few years to ensure “that every device that gets connected to a network, or hardware or software used are from a trusted source and is a trusted product”.

The NSDTS was issued on December 16, 2020 appointed the NCSC as the designated authority to determine vendors of telecom products as “a trusted source” and of a telecom product as “a trusted product”. This determination needs the approval of the National Security Committee on Telecom which is headed by a deputy NSA.

This directive, which came into effect in June 2021, was issued in the aftermath of the clashes with China in Galwan Valley after which the Indian government made concerted efforts to rid its critical information infrastructures of Chinese components. The directive does not mandate replacement of existing equipment.

The NCSC said that many more measures need to be taken to safeguard our supply chains.

Nair said that there is a significant skill gap when it comes to cybersecurity which needs to be addressed urgently. “We generate so many computer science graduates in our universities today. None of them have adequate knowledge about the cybersecurity domain,” he said. He mentioned that his office, in partnership with the Data Security Council of India (an industry body) had created TechSagar, a repository of India’s technology capabilities across 27 areas including AI/ML, robotics and automation, and others. The portal is still in beta stage.

“Conflict situations emerge in many parts of the world today. As a nation, we are constantly engaged in battles to safeguard our sovereignty, security and privacy from intrusive and anonymous threats both in physical domains and also in virtual domains,” he said as he mentioned that India is one of the top three targeted nations in the world because of its “vibrant and digital public infrastructure”.

“Targeted attacks on our national resources and critical infrastructure have become more vigorous and with these attacks having the potential to jeopardise our national security and also our social being,” Nair said.

He specifically called out ransomware attacks as a major cybersecurity threat, “especially against critical infrastructure which can have a major impact on utility services”.

In another panel at the conference, Dr Faruk Kazi, professor at the University of Mumbai, pointed out that over the last few years, the nature of threat actors has changed from random college going kids to state-backed hackers who have more resources.

Nair said that to achieve self-reliance in the ICT sector, we need “a strong regulatory and legal framework”.

In the same session as Kazi, Dr Lokesh Garg, a deputy director general in the National Critical Information Infrastructure Protection Centre (NCIIPC), said that state-backed cyber attacks on CII were becoming more common, especially during peace time so that they can be exploited as and when required.

Garg also said that telecom and power are “super critical information infrastructure” as all other CIIs are reliant on them for functioning.

On 5G, Garg said that as it has “decentralised architecture”, “the speed and virtualisation have increased the number of access points and that has increased the attack surface”. At the same panel, Salil Mittal, who leads cyber security for emerging technologies at Jio, said that as we moved to 4G, telecom networks became more software dependent, and with 5G and later 6G, this is bound to increase further.

The NCSC said that artificial intelligence and generative AI were double-edged swords. “[They] have enhanced the bandwidth and windows of opportunities for cyber criminals [but they also have] features which will assist in identifying vulnerabilities and trends proactively besides analysing ecosystems,” he said.