India has one of the highest number of internet users in the world, and is also among the top 10 countries facing cyberattacks. Today, the cybersecurity issues are not limited to hacking and money related frauds, but have become critical from national security point of view. The announcement by Prime Minister on Independence Day that India will soon have a new cyber security policy is very timely, as our country’s dependence on cyberspace has increased manifold.
The new cybersecurity policy is expected to address the current gaps and provide a strong framework to handle issues related to cybersecurity. The policy will focus on major governance reforms to handle cybersecurity issues at the national level. Today, there are many agencies at the national level and state level, looking into cybersecurity related issues. However, there is no centralized command to have an oversight on coordinated efforts for strategic and tactical areas to handle larger cybersecurity issues.
The National Cyber Security Coordinator (NCSC) and Indian Computer Emergency Response Team (CERT-In)has made tremendous efforts in recent times to handle cybersecurity issues; it is time to put a central command in the lines of – CBI or CEC which must be a single point of authority at the central level. Currently, RBI, SEBI, IRDAI, TRAI, PFRDA etc. have different cyber security framework for their regulated entities. However, none of the framework talks about inter-regulator coordination or integrated approach to handle cybercrime. Thus, the policy also needs to address unified cyber security framework across various regulators.
The demonetisation and Covid-19 has pushed us to adopt digitization in our day to day life. We are at the point of no return and now more and more activities will be carried on the internet and public networks. Work from home was never envisaged at such a large scale but it is now accepted as a new normal. India has taken a leapfrog by moving into digital transformation but it may not be sustainable in the long term if we do not have a strong shield on data protection laws and privacy policies.
- It is highly expected that the new cybersecurity policy would address the large issue of protecting critical information infrastructure in cyberspace, build integrated capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes and technology through well-defined governance framework as there is an urgent need of having a comprehensive and unified government institution for creating a cyber defence network. The following would be major areas that are likely to get addressed in the new cybersecurity policy 2020:
- A holistic cybersecurity strategy with a possible amendment in the IT Act, as some of its provisions have become redundant and cannot address the issues arising from the evolving threats.
- The government need to consider creating the Cyber Defence Agency, which is to be entrusted with the responsibility of implement the cyber defence strategy for the national security.
- Constitution of cyber commando force as a part of the defence program to neutralize any cross boarder cyber terrorism or cyber-attack. Also, to create specialized cyber police cadres in all State police departments.
- Sectorial CERT and State level CERT would be more effective for rapid response on any cyber-attack. The State-level CERT team to ensure speedier incident response and coordination with national agencies.
- Building a business ecosystem to leverage artificial intelligence and robotics to improve cyber defence.
- Pass the proposed Data Protection Bill to protect critical information like personal data, business information, and financial information.
It is high time to consider amendment into the existing IT Act 2000 which is not fully sync with today’s cyber threat. Many of the provisions of the act have become redundant and not able to address the newer cyber threat landscape. In addition to the IT Act, it’s already delayed but high time to introduce data privacy laws. With the tremendous growth of the e-commerce market, people are sharing their data every day without having legal support. The privacy act would be a great compliment to the forthcoming cybersecurity policy. The revised policy is expected to cover the entire spectrum of current and future cyber challenges.
Views expressed in this article are the personal opinion of Bharat Panchal, Chief Risk Officer- India, Middle-East & Africa, FIS.