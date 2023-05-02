India’s story of digital transformation in the last nine years is unprecedented. Whether it is the adoption of smartphones, UPI or Aadhaar-based transactions, the country’s scale and speed of digital adoption have surprised most. However, cybersecurity and cybercrime are two key challenges that have come along with digital technology adoption. According to CERT-In, there were 1.4 million security incidents in 2021. Cybercrime increased from less than 3,500 cases in 2012 to over 52,000 in 2021. Moreover, the attacks are getting more sophisticated. A recent Massachusetts Institute of Technology report ranked India 17th among 20 digital economies on their preparation against, and response and recovery from, cybersecurity threats. This is not good news for a country that wants to be a vishwaguru (global leader) in digital technologies. PREMIUM India’s cybersecurity challenges can be divided into five buckets. (Shutterstock)

India’s cybersecurity challenges can be divided into five buckets.

Lack of compliance: Missing patches due to the lackadaisical approach of users is a common problem. Similarly, access control is not strictly adhered to, and passwords are shared easily. Another common shortcoming is not complying with the requirements to have a full-time chief information security officer.

Lack of regulation: Leaking or sharing of customer data can be reduced significantly with regulation and punitive provisions. Only banking, securities exchanges, and market infrastructure entities have cybersecurity regulations, including the power of supervision. The next best scenario is in the power sector, which has some guidelines, but no statutory backing, and, therefore, lacks effectiveness. Sectors such as oil and gas, maritime, steel and other heavy industries, health care, education, drones, and automobiles do not have sector-specific cybersecurity regulations. Only some assets are declared as “critical information i”, but the National Critical Information Infrastructure Protection Centre (NCIIPC) does not – and possibly cannot – cover the ever-expanding list of critical information infrastructure and NCIIPC guidelines also do not cover the sector-specific challenges.

Lack of awareness: Many systems use end-of-life software or pirated versions, which the original equipment manufacturers need to protect. Unknowingly, users of such applications walk into a potential minefield.

Lack of competencies: The average coding quality is poor due to inadequate standard practices and coding skills. Manpower in cybersecurity is critically low, and the situation will worsen as well-trained cybersecurity professionals will be needed in government and private sectors.

Lack of innovation: Atmanirbharta (self-reliance) has been neglected in this domain. Apart from reducing dependence on others, an indigenous solution will have the added advantage of requiring potential attackers to break a new safety device. Innovation is relevant in emerging tech areas where solutions still need to be created, and India could lead this market. Quantum computing is most important in this regard. We may have a quantum computer by 2030. A fully functioning quantum computer will break the existing public-key encryption algorithms, impacting all secure electronic transactions. The second is Artificial Intelligence (AI). With the advent of powerful generative AI tools (GPT and other large-language-model technologies), new problems, such as deep fakes must be dealt with. Cybersecurity attacks will get easier.

An action plan for improving India’s cybersecurity profile may consider the following. First, replace the outdated Cyber Security Policy 2013 with a new one. Second, start a cyber swachchta (hygiene) programme. Make cybersecurity an integral part of school curriculum and in all education or information dissemination programmes. The Prime Minister (PM) can lead greater mass consciousness through Mann Ki Baat and other public contact programmes; Use AI to detect infractions by users and send alerts. Third, enact a data privacy and security law with necessary punitive provisions for lack of protection of customer data. Fourth, implement a sector-specific regulatory framework and supervision for all major sectors, including drones and automotives. Self-regulation could also be encouraged wherever feasible. A PM’s Office-led committee should monitor time-bound action by ministries concerned. Fifth, driving innovation in all emerging areas of cybersecurity is a must. Quantum computing challenges must have an early timeline, given the impending dangers. iDEX and other similar platforms can be leveraged. Sixth, develop a road map to move to post-quantum public key cryptography so that before 2030, all public-key cryptosystems are safe from quantum-based attacks. Seventh, scale up cybersecurity-related human resource development by 10X for domestic needs and exporting human expertise worldwide. Eight, police departments need to significantly ramp up their cybercrime analysis, forensic analysis, investigative capabilities, and infrastructure.

The domain of cyber may be virtual, but the adversary is real. And the adversary is known to engage in malicious cyber activities to achieve its strategic interests. The current national cybersecurity kavach (shield) has gaping holes that need to be plugged. No investment is significant for national security, but in this case, investments made in cybersecurity will yield rich dividends.

Ajay Kumar is former defence secretary

The views expressed are personal