Public-private cooperation: A key pillar in creating a cyber-secure India
While the new guidelines for cybersecurity are an interim step to have the requisite information to identify and counter cyberattacks, the debate around specific provisions must become part of a larger cyber-doctrine conversation in India
Recently, the Indian Computer Emergency Response Team (CERT-In) housed within the ministry of electronics and information technology (MeitY) issued guidelines for cybersecurity, under Section 70-B of the Information Technology (IT) Act. The stated goal is to “augment and strengthen the cybersecurity in the country” and “coordinate response activities as well as emergency measures with respect to cybersecurity incidents.”
The guidelines, among other things, have mandated all service providers, data centres, corporate bodies, and government organisations to report all cyber incidents within six hours. Cyber incidents include data leaks and breaches, attacks on mobile apps, unauthorised access to IT systems, identity thefts, and phishing attacks. They are also required to maintain logs of all their tech systems for a rolling period of 180 days within the Indian jurisdiction. In addition, virtual private network (VPN) service provider details, details of customers of data centres and virtual asset exchange providers (for example, crypto-exchanges), have also been covered under the directives.
Industry bodies from Europe and the United States (US) such as the US Chamber of Commerce and the US-India Business Council have argued that these directives may make it more difficult to do business in India. Others have argued that internationally recognised principles such as “storage limitation”, “purpose limitation”, and “data minimisation” have been ignored, and overly excessive requirements have been put in place.
Data localisation requirements — implicit in the guidelines — have also been opposed by foreign big tech firms which are not in favour of data localisation. Critics have also argued that the end-users — those who have been victims of the cyber-attacks — have not been given any clarity or protection via these guidelines.
Ultimately, a balance will need to be found between the stated objectives of the government and the concerns raised by certain quarters. The cyber domain and the connected networks are built, owned, managed, controlled, and operated by a multitude of players. The security of cyberspace, therefore, cannot remain the domain, or even the responsibility, of just the government. This is unlike the physical domain, where law and order, defence, and national security are largely the responsibility of the government. The onus of securing the defence of privately-owned computer systems and connected industrial networks must lie on the private owners as well. The government’s role is to support private players with policy frameworks, law enforcement, information sharing, diplomacy, and, where needed and appropriate, military force.
Both sectors must realise that private-public cooperation will be essential if India, like other nations, is to achieve a greater level of cybersecurity. The capabilities to identify, detect, report, resist, and counter cyberattacks lie much more in the private sector today than in the public. The government recognises this, as is evident from the nature of the guidelines issued by CERT-In. The private sector also needs to recognise its role and responsibilities in this shared goal of a cyber-secure India.
A body comprising representatives of key tech players and service providers along with government cybersecurity officials and experts must be constituted that can improve the communication, information, and capabilities between the public and private sectors when it comes to successfully defending against cyberattacks. This body can also deliberate on how to put in place certain obligations and responsibilities on private sector firms, and what incentives, if any, must accompany such obligations.
Public-private sector cooperation will also be critical in building up resilience against such cyberattacks. The ability to get any products, services or infrastructure up and running again quickly post an attack is as important as being able to identify or prevent an attack in the first place. The capabilities to build such resilience will need to be pooled together as well.
Countries like the US have already recognised this. There, large tech firms, as well as cybersecurity firms, have become critical partners. For example, the Intelligence and National Security Alliance (INSA), established in 2005 in the US, is a powerful but not widely known coalition of private companies working collaboratively with the US National Security Agency and the broader US security establishment. A brief survey of the INSA website shows that its list of corporate members includes IT services firms such as Booz Allen Hamilton and Accenture, and tech firms such as Amazon Web Services, Microsoft, Adobe, CISCO, Dell EMC, Intel, IBM, Oracle, Verizon, Cloudera and Salesforce.
The debate around the CERT-In guidelines also reflects the fact that India’s cybersecurity efforts and policies will go through multiple stages of iteration and evolution, as cyber warfare becomes more prevalent. As I have argued in my book, The Great Tech Game: Shaping Geopolitics and the Destinies of Nations, India needs to evolve a comprehensive and well-thought-out cyber doctrine, that is, a clear set of guiding principles and objectives, matched by the requisite cyber-defence and cyber-offence capabilities. We must also be clear on the strategy, the partners, and the capabilities required to achieve those cyber-capabilities.
So, while the guidelines are a much-needed interim step to have the requisite information to identify and counter such attacks, the debate around the specific provisions must actually become part of a larger cyber-doctrine conversation in India. The conversation must be a two-way street between the government and private actors. But most importantly, the action plan must be a coordinated one as well.
Anirudh Suri is managing director, India Internet Fund and author of The Great Tech Game
The views expressed are personal