PUBLIC ADMINISTRATION INTERNALS – I

INTRODUCTION
The National Cyber Security Policy (NCSP), 2013 is a policy document that was drafted by
the Department of Electronics and Information Technology aiming to protect the private and
public infrastructure from cyber-attacks. This policy was drafted after there were reports that
the government of USA was spying on India through the NSA scandal and there were no
techno-legal grounds to protect/ safeguard the infrastructure. This policy was established to
monitor, strengthen, and safeguard defences against cyber-attacks.
The policy also aims to protect "information, such as personal information (of web users),
financial and banking information and sovereign data". Cyberspace is a complex ecosystem
made up of human interactions, software services, and the international dissemination of
information and communication technology, according to the Ministry of Communications
and Information Technology (India).
Citizens of India are empowered with information/knowledge. Hence, it is important to
distinguish between information that can move freely between systems and that needs to be
secured. These could consist of personal data, banking and financial information, and security
data that, in the wrong hands, could jeopardise the security of the country. In order to
digitalize the economy and promote more digital transactions, the government must be able to
increase public trust in the Information and Communications Technology (ICT) systems that
regulate financial transactions.
The National Cyber Security Policy document outlines a route for creating a framework for
an extensive, collaborative, and collective response in order to deal with the problem of cyber
security at all levels. The policy recognises the need for adopting goals and plans on a
national and worldwide scale.

STAKEHOLDERS AND MEMBERS INVOLVED IN THIS SCHEME

The cyber-security industry consists of two primary stakeholders. They are private and
government entities. The government cyber element can be further subdivided into civilian
and government contractors.
In the commercial/private sector, this sector has witnessed the exponential growth of
technology behemoths. Over the past ten years, businesses like Apple, Amazon, Google, and
Facebook have experienced record development. These businesses satisfy consumer demand
for cutting-edge technologies and services, many of which are unique and are so prosperous
that they can easily afford to employ the best and brightest computer scientists in the world.
PricewaterhouseCoopers, Deloitte, EY, and KPMG are a few of the leading accounting
companies in cybersecurity. These four businesses each provide a distinct service, such as IT
compliance monitoring, incident response, or penetration testing. Numerous federal
government regulations, such as those requiring customer data protection, frequently call for
these services.
The federal government, in contrast to the private sector, has had difficulty keeping a stable
cybersecurity staff. The National Security Agency (NSA) is widely acknowledged within the
sector as the key player in the cyberspace. This organisation has some of the strictest
requirements for applicants, frequently going above and beyond those established by the
private industry. While one agency has remained committed to defending secret networks,
others are woefully falling short.

BACKGROUND
The majority of countries' cyber security policies, including those of the US, have adopted a
market-driven approach to implementation, which means that while many of these policies
require security measures for government departments or agencies, they do not impose them
on private companies. For a number of reasons, including the inadequacy of voluntary efforts
to ensure national security requirements, such a market-driven strategy has drawn criticism.
The US attempted to introduce cyber security legislation, but it was not approved, signalling
a strategic shift in policy. After that, the US government issued the executive order to bolster
internet security.
However, even this executive order did not mandate businesses to implement security
measures but is intended to facilitate information sharing between government and businesses
and promote voluntary adoption of cyber security framework.
Therefore, analyzing NCSP in the context of market-market driven versus regulatory
approach– is intriguing. According to the policy, the government appears to be combining
both regulatory and market-driven methods. For instance, the policy on the one hand
mentions encouraging organisations to appoint CISOs, develop information security policies,
adopt guidelines for the procurement of reliable ICT products and services, earmarking of
specific budget for security, and even goes so far as to offer fiscal schemes and incentives to
encourage organisations to strengthen their information infrastructure with respect to cyber
security.1 It encourages ‘all entities to periodically test and evaluate the adequacy and
effectiveness of technical and operational security control measures.’2
The policy does, however, refer to "mandatory periodic audit and review of the adequacy and
effectiveness of security of information infrastructure, as may be appropriate." The policy is
still unclear and open to further explanation as to which "information infrastructure" it refers
to. However, if one examines other sections of the policy and compares them to the sections
above, one may conclude that the policy's goal is to require security measures for vital
information infrastructure and e-governance services. For all e-governance projects, the
policy "mandates adoption of global security best practises, business continuity management,
and cyber crisis management plan."3

1
NCSP 2013 - IV.A. Creating a secure cyber ecosystem
2
NCSP -2013 – IV.B.(7) Creating an assurance framework
3
NCSP 2013 - IV.F.(1) Securing e-Governance services
The same has been mandated for critical sector entities4 in addition to ‘encouraging and
mandating as appropriate, the use of validated and certified IT products, ‘mandating security
audit of critical information infrastructure on periodic basis and ‘secure application / software
development process’ and goes to the extent of ‘mandating certification for all security roles.’

NEED FOR CYBER – SECURITY APPROACH/THREATS TO INDIA

 India has 36 different central bodies—the majority of ministries have their own—that
deal with cybersecurity issues, each with a unique reporting structure, in contrast to
the US, Singapore, and the UK, where there is a single umbrella organisation for the
field. Each state government also has a separate Computer Emergency Response
Team (CERT). Hence, to unify the country, a single policy is required
 Many cyber hackers — state, nonstate, professional, freelancer’s groups, so-called
“anonymous groups” — operate worldwide and conduct attacks internationally.
 Concerns about heightened cyberattacks from China and its close allies have grown as
a result of the standoff at the frontier. Although little malicious activity has been
noticed, the CERT-IN and media have released a number of advisories about the
potential for cyberattacks from China.
Approximately more than one third of all cyber-attacks worldwide are launched from
China. They have one of the largest military groups of cyber experts in the world.
Countries like North Korea and Pakistan are also very active on their own and work in
close collaboration with the Chinese. These countries have been accused of
perpetrating state-sponsored attacks for a variety of purposes.

4
NCSP 2013 - IV.G. Protection and resilience of Critical Information Infrastructure
  The prime minister of Australia voiced worry about Chinese cyberattacks. APT40,
APT3, APT10, and APT17 are just a few of the Advance Persistent Threat Vectors
that have reportedly been created and used by China for espionage, data theft, and
intellectual property theft. While some APTs are general-purpose instruments, others
are tailored for particular nations and objectives. APT1, APT3, APT10, APT15,
APT17, APT26, and other methods and instruments have been used against India as
well.
 APT 36 is being used by Pakistan as well to attack Indian entities. It is well known
that the hacker collective LAZARUS is responsible for assaults on financial targets in
Bangladesh, India, and other South Asian nations.
 Malware, or malicious software, can be used to sabotage computer operations as well
as to steal, encrypt, or delete confidential data. The Nuclear Power Corporation of
India Ltd, which manages nuclear reactors all over the nation, stated in October that
although malware had been found in one of its machines in September, none of its
other systems had been compromised.
 In October, Facebook-owned messaging service WhatsApp filed a lawsuit against
Israeli surveillance company NSO Group, alleging that the company assisted
customers in using malware to gain access to the phones of about 1,400 users,
including some in India. Journalists and activists were among the targets of the
hacking.

VISION AND SALIENT FEATURES OF THE NEW POLICY

The new policy has a vision and mission statement aimed at building a secure and resilience
cyberspace for citizens, businesses and the Indian Government. It enables goals at reducing
national vulnerability to cyber-attacks, preventing cyber-attacks & cybercrimes, minimising
response & recovery time and effective cybercrime investigation and prosecution.
It establishes government-focused initiatives, public-private partnerships, technological
measures related to cyber security, the defence of critical information infrastructure, national
alerts and advice mechanisms, awareness- and capacity-building initiatives, and promotion of
information sharing and cooperation. It also enhances the cooperation and coordination
among all the stakeholder entities within the country.
Lastly, the policy also helps in facilitating monitoring key trends at the national level such as
trends in cyber security compliance, cyber-attacks, cybercrime and cyberinfrastructure
growth.

MAIN AIMS-
 Operating a 24×7 National Critical Information Infrastructure Protection Centre
(NCIIPC) to improve the protection and resilience of the country’s critical
infrastructure information.
 Improving and creating mechanisms at the national and sectoral levels that operate 24
hours a day, seven days a week for gathering strategic information about threats to
ICT infrastructure and devising scenarios for crisis management and response.
  Recruiting 500,000 workers with cybersecurity expertise over the next five years.
 Offering financial incentives to businesses that implement standardised security
procedures and practises.
 Protection of individual data privacy and a decrease in financial losses brought on by
cybercrime or data theft.
 Improving law enforcement skills and enabling successful cybercrime investigation,
prosecution, and prevention through legislative action.

CRITICAL ANALYSIS OF THE POLICY

In general, this policy's goals are to improve the legal system and develop a safe cyberspace
ecosystem. Through the National Critical Information Infrastructure Protection Center, a
national and sectoral 24x7 system has been envisioned to deal with cyber threats (NCIIPC). It
has been decided that the Computer Emergency Response Team (CERT-In) will serve as the
nodal organisation for coordinating crisis management activities.
The operationalization of sectoral CERTs will be coordinated by CERT-In, which will also
serve as an umbrella group. In order to develop scenarios for response, resolution, and crisis
management through efficient predictive, prevention, response, and recovery action, a
method for gathering strategic information about threats to ICT infrastructure is suggested.
However, some issues still require more thought before being put into practise. There are no
provisions in place to handle security risks brought on by the use of new technologies, such
as cloud computing. Combating the risks brought on by criminals and anti-national elements
using social networking sites more frequently is another area left unaffected by this strategy.
Tracking cybercrime, developing cyberforensic expertise, and developing a platform for
ongoing information exchange and analysis between the public and private sectors are also
necessary.
It needs to be further considered whether training 500,000 professionals to only watch
cyberspace or training them to learn both offensive and defensive cyber security skill sets is
the best course of action. It is admirable that local companies are creating the cyber security
solutions listed in the policy, but these solutions might not completely protect against supply
chain risks, and they would also need to create testing infrastructure and facilities that meet
international standards for evaluation.
As part of enhancing the cyber security of defence networks and installations, the Indian
Armed Forces are creating a cyber command. Being one of the most significant stakeholders,
the establishment of a cyber command will necessitate the creation of a parallel hierarchical
structure, so it will be wise to address the jurisdictional concerns at the outset of the
execution of the policy. National security vs. civil liberties and the right to privacy is a topic
of intense debate on a worldwide scale. Although protecting the private of citizen data is one
of this policy's goals, no particular plan has been laid out to accomplish this goal.