Www.iasbio.

com | whatsapp for UPSC NOTES 7091958453

Cyber security, encryption & cyber suraksha kendra

India’s cyber-threats include:

by countries (mostly China) by individuals (Paki and Chinese hacker, + local crooks)

1. cyber espionage 1. cyber crime

1. cyber war 1. cyber terrorism

. c o m
i o
Military grade cyber-weapons such as Stuxnet and flame, pose grave danger to nations, companies and

sb
individuals around the world.

a
Computer virus developed by Americans, to disrupt Natanz nuclear site in Iran.But other organizations

. i
Stuxnet across the world, including in India, operating with the Siemens system suffered from collateral damage

w
from the attack.

w
• A virus written solely for data gathering, or espionage.
• It can gather data from harddisk, computer microphones and web cameras even nearby Bluetooth

W
devices and report data back to its command and control network located around the world.
• Iran has claims this virus wiped the hard drives of its oil refineries.
Flame • Kaspersky (famous antivirus company) says flame is twenty times more complicated than Stuxnet.
• Flame’s creator is also unknown. But since flame’s function is not confined to stealing credit-
card/bank passwords only- It means flame was created by some government agency (rather than
individual hacker).

Some more points:

STRONG CHINA WEAK INDIA

• Since 2000-01, Pakistani cyber

criminals defacing Indian websites and
• Since 2003, the People’s Liberation Army has trained more writing derogatory messages against
than 30,000 cyber warriors and another 150,000 in the India.
private sector. • Recently even Chinese hacked into
• According to several reports, Chinese goal is to build the computers of Indian government
world’s best ‘informationised armed forces’. organizations.
• India’s strategy for cyber defense =
“thik hai / chalta hai / firefighting”
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

. c o m
sb i o
. ia
w w
W
National Cyber Security Policy-2013

by Department of Electronics and Information Technology. This Policy aims:

1. To protect cyberspace from cyber-threats.

2. To protect private data of citizens and minimize damage from cyber-attacks.
3. With help of government organizations + pvt.players.

A National and sectoral 24X7 mechanism has been envisaged to deal with cyber threats through
National Critical Information Infrastructure Protection Centre (NCIIPC).

Computer Emergency Response Team (CERT-In) has been designated to act as a nodal agency for
coordination of crisis management efforts. CERT-In will also act as umbrella organization for
coordination actions and operationalization of sectoral CERTs.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

|:| Two Government organizations

Indian Computer emergency

National Critical Information Infrastructure Protection Centre (NCIIPC) response team (ICERT) or (CERT-
In)

Under National Technical Research Organisation (NTRO)NTRO is a technical Already exists under Department
intelligence agency set up after the Kargil conflict. of Electronics and IT.

Nodal agency to coordinate all

Nodal agency for critical information infrastructure protection in the country. matters related to cyber security

m
(except matters under NCIIPC.)

c o
• provide early warning and

.
response to security

i o
threats
• •

sb
will protect Nation’s critical IT infrastructure in energy (natural gas, ICERT will function as an
coal, oil and power), finance and banking, transportation (civil aviation umbrella organization.

a
and railways), space, law enforcement, security, telecom, defense, etc. Under this, sectoral will be

i
•

.
will work on 24/7 basis. created to work on 24/7
• will design/acquire new processes for IT protection. basis.

w
• provide Emergency

w
measures for handling
cyber security incidents

W
|:| To businessmen/companies

1. Provide tax reliefs/Fiscal benefits to businessman if they adopt cyber-security practices.

2. Encourage all public/private organizations, to have a Chief Information Security Officer (CISO),
responsible for cyber security.
3. Encourage and mandate them to use certified IT products.
4. certification for compliance to cyber security
5. Classify IT infrastructure based on risk perception so that adequate security protection
measures can be under taken.

|:| To law enforcement agencies

1. Legislative reforms to help law-enforcement agencies in investigation and prosecution of

cybercrime.
2. International cooperation / collaboration with agencies of other countries.

|:| To E-governance

1. Ensure that all organizations keep a specific budget cyber security and emergency.
2. Cyber crisis management plan for all e-Governance initiatives in the country, to reduce the risk
of disruption.
3. To engage Private IT experts/org. to assist e-Governance initiatives.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

|:| Fancy things common to all policies

• encourage cost-effective, tailor made desi solutions for IT security

R&D • Try to commercialize and export such desi software/technology
• Setup center of excellence.

• In next five year, get 5 lakh workers in cybersecurity field.

• formal-informal training centers for cybersecurity via PPP
HRD
• training/capacity building for law-enforcement agencies

m
• Public-private consortium to enhance the availability IT products based on open

o
standards.

c
PPP

.
• PPP for setting up training institution for IT security.

i o
1. Bilateral and multi-lateral coop. with other countries for cyber security.

a sb
1. Increase desi-videsi coop. among security agencies, CERTs, Defence agencies and the

i
judiciary.

.
COOP

w
1. To create a think tank for cyber security policy inputs, discussion and deliberations.

w
1. Cooperation-collaboration with stakeholders.

W
1. Hold workshops / seminars, create awareness about IT security among web users.
WINE AND DINE
1. Regular cyber security drills & exercises at various levels.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

. c o m
sb i o
. ia
w w
W
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

On a lighter note:

1. The sacred-unwritten rule of government policies=> they must mention “sustainable

development”. I’m surprised that clichéd word is not used anywhere in this police. Secondly,
policy doesn’t contain any fancy term/catchy name/scheme named after you know who. It
means the bureaucrat who wrote this policy, is indeed an intelligent person who didn’t wish to
harass UPSC aspirants.
2. This cyber security policy specifically mentions: safeguard “citizen’s” private data. Does it mean
foreigner’s personal data will not be safeguarded!? Recall that in UIDAI/Adhar, BJP’s criticism is:
official policy every “resident” will get UIDAI number – meaning even Illegal Bangladeshis
who’re ‘residents’ of India but not citizens, will benefit.

. c o m
sb i o
Issues with NCIIPC:

a
In 2008, when the Information Technology Act 2000 was amended, the introduction of Section 70A and

. i
70B went largely unnoticed in policy circles.

w
Article 70A mandated the need for a special agency that would look at designated CIIs and evolve
practices, policies and procedures to protect them from a cyber attack. But the then United Progressive

w
Alliance government took another six years to create such an agency. On January 16, 2014, the

W
Department of Information Technology (DIT) issued a notification announcing the creation of a
specialised body to protect India’s Critical information infrastructure (CIIs). The National Critical
Information Infrastructure Protection Centre (NCIIPC) was created and placed under the technical
intelligence agency, the National Technical Research Organisation, to roll out counter-measures in
cooperation with other security agencies and private corporate entities that man these critical
sectors.

Unfortunately, since 2014, there seem to have been few moves to establish the mandate of the
government’s 2014 notification. A “critical sector” has been defined under the notification as “sectors
that are critical to the nation and whose incapacitation or destruction will have debilitating impact on
national security, economy, public health or safety”.

The government has identified 12 sectors that fit the bill and can be covered under the NCIIPC project as
mandated by Section 70A of the amended IT Act. These range from energy to power, law enforcement,
aviation, banking, critical manufacturing, defence and space. While several of them are housed within
the government, sectors such as energy and power are manned by the private sector. While the
overarching guidelines for the protection of CIIs were issued by the government in May 2012, the
sectors still lack specific guidelines that will address their peculiar challenges in cyberspace. (Thus
no comprehensive cover).

Issues with CERT: CERT has a huge shortage of manpower trained in latest technologies. The policy
also calls for developing human resource through education and training programmes, establishing
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

cyber security training infrastructure through public private partnership and to establish institutional
mechanisms for capacity building for law enforcement agencies. Creating a workforce of 500,000
professionals trained in cyber security in the next 5 years is also envisaged in the policy through skill
development and training. The policy plans to promote and launch a comprehensive national awareness
programme on security of cyberspace through cyber security workshops, seminars and certifications
with a view to develop awareness of the challenges of cyber security amongst citizens.

Issues with cyber policy 2013:

o m
• There are certain areas which need further deliberations for its actual implementation.

c
•

.
The provisions to take care security risks emanating due to use of new technologies e.g. Cloud

o
Computing, has not been addressed.

i
• Another area which is left untouched by this policy is tackling the risks arising due to increased

sb
use of social networking sites by criminals and anti-national elements.
• There is also a need to incorporate cyber crime tracking, cyber forensic capacity building and

a
creation of a platform for sharing and analysis of information between public and private

. i
sectors on continuous basis.
• Creating a workforce of 500,000 professionals needs further deliberations as to whether this

w
workforce will be trained to simply monitor the cyberspace or trained to acquire offensive as

w
well as defensive cyber security skill sets.
• Indigenous development of cyber security solutions as enumerated in the policy is laudable but

W
these solutions may not completely tide over the supply chain risks and would also require
building testing infrastructure and facilities of global standards for evaluation.
• Indian Armed forces are in the process of establishing a cyber command as a part of
strengthening the cyber security of defence network and installations.
• Creation of cyber command will entail a parallel hierarchical structure and being one of the
most important stakeholders, it will be prudent to address the jurisdiction issues right at the
beginning of policy implementation.
• The global debate on national security versus right to privacy and civil liberties is going on for
long. Although, one of the objectives of this policy aims at safeguarding privacy of citizen data
however, no specific strategy has been outlined to achieve this objective.

NATIONAL CYBER COORDINATION CENTRE (NCCC) (STILL proposed)

• National Cyber Coordination Centre is a proposed cyber security and e-surveillance agency in
India.
• It is intended to screen communication metadata and co-ordinate the intelligence gathering
activities of other agencies.
• Government's cyber security arm Indian Computer Emergency Response Team (CERT-In) will be
the main agency handling the establishment of NCCC.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

• This Centre will have top experts from the field and it will be run like similar organisation in
other countries such as the US, the UK, France, Germany, etc.
• NCCC is expected to coordinate between intelligence agencies, specifically during network
intrusions and cyber-attacks.
• Its mandate may also include cyber intelligence sharing among agencies.
• Apart from monitoring the Internet, the NCCC would look into various threats posed by cyber
attacks.
• The NCCC will facilitate real-time assessment of cyber security threats in the country and
generate actionable reports/alerts for proactive actions by the concerned agencies.

o m
Some other steps that have been take or can be taken:

o. c
• The Budapest Convention is the only multilateral treaty on cyber security that addresses

i
Internet and computer crime by harmonizing national laws, improving legal authorities for

sb
investigative techniques, and increasing cooperation among nations.
• Developing countries including India have not signed it stating that the developed countries

ia
lead by the US drafted it without consulting them.

.
• Government has initiated Information Security Education and Awareness (ISEA) project with

w
the aim to develop human resource in the area of Information Security at various levels.

W w
Concerns with NCCC

Some have expressed concern that the body could encroach on citizens' privacy and civil-liberties, given
the lack of explicit privacy laws in the country.

A case for the Net’s Ctrl+Alt+Del (Govt shut internet in Gujarat)

“Anti-reservation protests in Gujarat turned violent, prompting the State government to shut off
mobile data services for a week.” Picture shows a resident taking a photo of a burnt bus in Ahmedabad.
Photo: Vijay Soneji

It is in the public interest that foreign Internet companies cooperate with governments during security
crises.

“Let me put it this way. Suppose riots have broken out in an American town, and incendiary messages
are being circulated through a messaging application owned by an Indian company. Were the
company not to cooperate with law enforcement agencies, what would the U.S. government do?”
asked the Indian official. The response from his American counterpart across the table was swift:
“That company would be in very serious trouble.”
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

Earlier this month, when Indian and American negotiators met in Washington D.C. for the bilateral Cyber
Dialogue — after a gap of two years — they had a spirited exchange on the role of Internet companies
during emergencies. The Indian government has often flagged the concern that data-mining giants
based outside the country — Google, Twitter, Facebook and WhatsApp, to name a few — do not
cooperate with law enforcement authorities during a security crisis. For their part, the companies
argue that data-sharing with governments is a sensitive issue, especially as they are not privy to
official reasons for monitoring and surveillance. At the Cyber Dialogue this year, India pointed to the
2013 Muzaffarnagar violence and the 2012 exodus of Northeasterners from Bengaluru as prime
instances where social media played mischief, highlighting the need for closer cooperation between
American companies and the government.

c o m
Clampdown in Gujarat

i o.
sb
Hardly a week had passed since the dialogue when the anti-reservation protests in Gujarat turned
violent, prompting the State government to shut off mobile data services for a week. Following

a
protests in Imphal this week over the Protection of Manipur People (PMP) Bill, 2015, the Manipur

. i
government too blocked Internet access in several parts of the State. In Gujarat, the Internet

w
lockdown was in place in major cities like Ahmedabad till Tuesday, affecting the lives of tens of
thousands. Also happened in J&K.

w
Ordinary users and businesses were unable to send messages via 3G services, make payments through

W
Internet banking portals, file taxes online, or use location-based apps for transport. The State
government’s decision to ‘kill the Internet’, prompted by the concern that messages inciting violence
could be circulated along online platforms, was disproportionate. But this overreach is a sign of the
government’s vulnerability, not its enthusiasm to clamp down on speech.

A security crisis confers governments with wide legal latitude to restrict the flow of online
information.

They can do so in three ways:

• By targeting the content, medium or device. Content-specific restrictions usually take the form
of DNS (Domain Name System) seizures, where governments ask a website host (say, GoDaddy
or Bluehost) to de-register a domain name (say, www.yestogujaratviolence.com).
• Governments can require Internet Service Providers (ISPs) to block access to websites peddling
inflammatory content.
• A third kind of restriction targets the handheld device, where the government asks a phone
manufacturer to create ‘back doors’ for monitoring and filtering content on its devices.

All three methods are blunt, and could even be counterproductive.

 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

A website could easily park its domain elsewhere after its registration has been withdrawn. ISP blocks
can be circumvented through proxy servers and virtual private networks (VPNs). And creating online
‘back doors’ is a dangerous exercise because the security vulnerability so created can be exploited not
just by governments but by miscreants as well.

The Indian government understands that these methods, while legally defensible during an
emergency, are ineffective. This is why Gujarat blocked access to mobile Internet altogether rather
than targeting those websites or platforms that were promoting violence. Consider the example of
WhatsApp, a California-based company that has no presence in India. Its servers are located abroad.
Until recently, the company did not even have a designated representative in the country. If
WhatsApp is being used to promote incendiary messages, the government simply has no means to

m
filter problematic content. As a result, law enforcement agencies deploy excessive measures.

o. c o
Disclosure vs. privacy: Central and State governments in India share an adversarial relationship today

i
with social media companies. Authorities say their compliance requests go mostly unheeded. Takedown

sb
notices published by Internet companies are often selective, highlighting the most egregious demands
to paint governments in poor light. The argument that the private sector is standing up to government

ia
to protect user interests simply does not hold water. The privacy policies of some of the biggest Internet

.
companies today leave much to be desired. Many platforms have failed to regulate hate speech. If that

w
is not all, data collected by social media from India is being farmed abroad for commercial purposes.

w
It is in the public interest that foreign Internet companies cooperate with governments during security
crises. Frustrated by unsuccessful attempts at targeting sensitive content, Indian officials have reached

W
out to their counterparts in the U.S. and Europe, hoping to “nudge” foreign companies into compliance.
New Delhi’s desperation is understandable, but conversations on online filtering or blocking cannot take
place behind closed doors between governments. Similarly, data localisation laws that require
companies to set up servers in India cannot be a substitute for sound privacy policies.

Without a sustained dialogue between both parties, the government will continue to deploy ham-
handed measures as in Gujarat to meet its ends. They neither serve the interests of the user, whose
daily activities are affected, nor those of social media platforms, which are missing out on an
opportunity to be valuable conduits for life-saving information.

(Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi.)

Measures to Protect Security Data from Cyber Spying:

Government has taken a number of steps to protect confidential information pertaining to Defence
Sector from Cyber-attack including setting up of Cyber Operation Centres for threat management and
mitigation as part of Framework for Enhancing Cyber Security of Indian Cyberspace. To protect
important and confidential data from Cyber-attack, the operational networks of the Armed Forces are
air gapped from internet. Further, Defence Services have established Cyber Emergency Response Teams
(CERTs) to prevent and react to cyber-attacks. Safeguards have been instituted in the form of audits and
physical checks. Policies, guidelines and procedures are laid down and cyber security advisories are
issued from time to time.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

This information was given by Defence Minister Shri Manohar Parrikar in a written reply to Shri Prof. M.
V Rajeev Gowda in Rajya Sabha today.

Upgrading India’s cyber security architecture

m
India should not hesitate to build its offensive cyber capabilities.

. c o
A fully operational cyber command is the need of the hour, given that India’s digital capabilities lag

i o
significantly behind regional and global players

sb
Two things set aside India’s digital spaces from that of major powers such as the United States and

a
China: design and density. India is a net information exporter. Its information highways point west,

. i
carrying with them the data of millions of Indians. This is not a design flaw, but simply reflects the
popularity of social media platforms and the lack of any serious effort by the Indian government to

w
restrict the flow of data. Equally important is the density of India’s cyberspace. Nearly 500 million

w
Indians use the Internet today, but they do not access the Internet from the same devices. Apple’s
market share in the U.S., for instance, is 44 per cent, but iPhones account for less than 1 per cent in

W
India. The massive gap between the security offered by the cheapest phone in the Indian market and a
high-end smartphone makes it impossible for regulators to set legal and technical standards for data
protection.

Digital intrusions

With little control over the hardware used by Indian Internet users as well as the information that is
carried through them, India’s national security architecture faces a difficult task in cyberspace.

India’s infrastructure is susceptible to four kinds of digital intrusions:

• espionage, which involves intruding into systems to steal information of strategic or commercial
value;
• cybercrime, referring to electronic fraud or other acts of serious criminal consequence;
• attacks, intended at disrupting services or systems for a temporary period; and
• war, caused by a large-scale and systematic digital assault on India’s critical installations.

Indian authorities have spent the lion’s share of their resources tackling localised cybercrime while
responding to major attacks on a case-by-case basis.

Recognising the strategic dimensions of cyberspace, the Prime Minister’s Office (PMO) created the
position of the National Cyber Security Coordinator in 2014, a welcome first step.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

There is, however, no national security architecture today that can assess the nature of cyber threats
and respond to them effectively. India’s civilian institutions have their own firefighting agencies, and
the armed forces have their own insulated platforms to counter cyber attacks.

Unlike nuclear energy, a neat division between civilian and military use of cyberspace is difficult. Just
as the Indian Army may face serious cyber attacks from non-state actors in Pakistan, the digital assets
of a major Indian conglomerate — say, the Oil and Natural Gas Corporation — may be taken down by
a military. The asymmetric character of digital warfare requires a multi-agency organisation that is
technically equipped, but also bases its decision on sound strategy and regular policy inputs.

m
What could such an agency look like?

c o
The first requirement is to house it with permanent and semi-permanent staff that is technically

.
proficient in cyber operations, both defensive and offensive. India faces a shortage of officers trained in

i o
creating and breaking encrypted platforms as well as using digital networks for intelligence gathering.

sb
Were such a National Cyber Security Agency (NCSA) to be created, it should have a functional “nucleus”
or secretariat.

ia
The second requirement is to coordinate the agency’s policy functions and operations. The current

.
cybersecurity policy, articulated in 2013 by the Ministry of Communications and Information

w
Technology, is basically a statement of first principles. The NCSA should be guided by a document

w
outlining India’s cyber strategy, much like its nuclear doctrine.

W
India currently has a top layer of agencies performing cyber operations — the National Technical
Research Organisation, the National Intelligence Grid, and the National Information Board, to name a
few — but there is also an additional layer of ministries performing governance functions.

The Ministries of Defence, Home, External Affairs and IT should be part of a policy wing that provides
their assessments of local and regional developments. India’s intelligence agencies should separately
provide their consolidated inputs to aid the operations of the NCSA.

Last, India should not hesitate to build its offensive cyber capabilities. This would involve the
development of software designed to intrude, intercept and exploit digital networks. The deployment of
cyber weapons is not a low-cost affair, as the digital trail allows adversaries to track and possibly predict
the development of future technologies. Nevertheless, a cyber arsenal serves the key function of
strategic deterrence. India’s cyber command should be the primary agency responsible for the creation
and deployment of such weapons.

Given the power entrusted in such an agency — as with India’s nuclear command, it would report to the
PMO — it should have political or parliamentary oversight. In particular, the use of its capabilities
against Indian citizens or domestic networks must be guided and supervised by a legal framework.

A fully operational cyber command will take years to complete. It is the need of the hour, given that
India’s digital capabilities lag significantly behind regional and global players. Whatever final form India’s
cyber command takes, the government would do well to pursue a two-pronged strategy in the interim.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

First, advocate restraint in cyberspace as a global norm. India is an active participant in discussions
around the Tallinn Manual, which is a set of non-governmental guidelines for engagement during war. A
group of government experts will convene later this year under the aegis of the UN — India is expected
to be at the table — to discuss norms that trigger cyber war. At these forums, India should underline the
basic premise that it is impossible to thwart all cyber attacks, and therefore encourage nation-states to
restrain from deploying cyber weapons. Second, the government should draft recruitment guidelines to
hire and train a cadre of cyber specialists. Attracting such officers may require high pay scales and other
benefits — a model the U.S. has aggressively pursued — but they would bring in India’s best minds. If
India’s cyberspace has built-in vulnerabilities, it also has a highly skilled IT workforce, which should be
harnessed by the government for strategic use.

m
(Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi.)

o. c o
sb i
DRAFT ENCRYPTION POLICY

a
(rolled back under heavy criticism, doesn’t exist anymore. Still take a look):

. i
Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or

w
methods for encryption. In this regard, a draft National Encryption Policy was formulated by an Expert
Group setup by Government. The aim was to enable information security environment and secure

w
transactions in Cyber Space for individuals, businesses, Government including nationally critical

W
information systems and networks.

THE OBJECTIVE OF THE POLICY

• To synchronize with the emerging global digital economy / network society and use of
Encryption for ensuring the Security / confidentiality of data and to protect privacy in
information and communication infrastructure without unduly affecting public safety and
National Security.
• To encourage wider usage of Digital Signature by all entities including Government for trusted
communication, transactions and authentication.
• To encourage the adoption of information security best practices by all entities and
Stakeholders in the Government, public & private sector and citizens that are consistent with
industry practice.

Salient features:

• All citizens “are required to store the plain text of the encrypted messages for 90 days” and
provide it to law enforcement agencies as and when required.
• All vendors of encryption products need to register their products with the designated agency of
the Government
• All encryption technology used in India shall be cleared by the government.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

• Government shall maintain a list of all encryption technologies and only those technologies
which are on the list can be used in this country. It means government knows every encryption
technology used in India
• Common use Web-based applications and social media sites such as WhatsApp, Facebook and
Twitter were exempted.
• The encryption products being used in Internet-banking and payment gateways under direction
of the RBI And those being used for e-commerce and password- based transactions, are also
exempted.

Why in News?

m
The Government of India recently published the Draft National Encryption policy for public comments

o
online seeking methods of data encryption of data and communications used by the government,

. c
businesses, and even citizens. The said draft policy evoked strong responses from various stakeholders

o
and consequently, shortly after its introduction for comments in the public domain, the said Draft

i
National Encryption policy was withdrawn by the Government.

. ia sb
What is encryption?

w
Encryption is the process of encoding messages or information in such a way that only authorized

w
parties can read it.

W
For example: word "IAS" can become "JBT" in encrypted form, if every letter is replaced by next
alphabet. Those who know how it is encoded can only able to read "IAS" correctly.

Uses of Encryption

All messaging services like WhatsApp, Viber, Google Chat, Yahoo messenger use encrypted services.
Banks and e-commerce sites also use encryption to protect financial and private data including
passwords.

How did encryption originate?

The Preamble to the draft policy states that encryption technology was traditionally deployed most
widely to protect the confidentiality of military and diplomatic communication. However, the revolution
in Internet technology, expanded the scope of encryption to e- commerce and e-governance civilian
applications. This further led to the need to protect privacy and increase the security of the Internet and
associated information systems and develop policies that favor the spread of encryption worldwide.

CRITICISM
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

• Policy will affect almost all Internet users- a majority is not even aware that it is using encryption
technologies.
• The biggest concern of this new policy is around the fact that users and organizations would “on
demand” need to store all communication in plain text for 90 days from the date of transaction
and make it available to law enforcement agencies. Most of the users in India do not know the
meaning of plain text and in such a case they can be held liable for not storing their encrypted
data in plain text format. Thus, almost everyone using the Internet will find themselves in
violation of these rules.
• In case of communication with any foreign entity, the primary responsibility of providing
readable plaintext along with the corresponding encrypted information shall rest on the
business or citizen located in India.
•

m
Additionally, service providers located within and outside India, using encryption technology for

o
providing any type of services in India, must enter into an agreement with the government. This

c
is seen as impractical as there are many service providers around the world that use encryption.

.
It would be highly unrealistic for all of these to enter into an agreement with the Indian

o
government.

i
• Keeping a copy of the data will require huge storage and that will come at a cost.

sb
• There is a fear that the policy will start a new “registration raj”, now that all encryption
technologies that can be used in India will need to be certified and listed by the agencies

ia
concerned.

.
• For companies that store private data it would mean storing passwords in plain text, which

w
means private
• and confidential data will remain unencrypted and hence vulnerable for 90 days.

w
• The government proposed to prescribe the algorithms and key sizes for encryption. This implies
government

W
• control over all data.

Why does India need encryption?

• To promote use of encryption for ensuring the security/ confidentiality of internet

communication and transactions
• To facilitate investigation of crimes and threats to national security in the age of sophisticated
encryption technology
• To promote research in encryption technology as it is restricted and not available to India under
Wassenaar agreement.
• To build consumer confidence in retail and e-governance, encouraging more Indians to go online
and strengthening the country’s underdeveloped cybersecurity sector.
• To check misuse of encryption.

What is a good encryption policy?

• The policy should leave room for innovation in the field of encryption technology so that
industry leaders have incentives to innovate and offer consumers more secure information
services.
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

• The policy should goal for securing information through a minimum standard, instead of
rendering it insecure by dictating a standard that might get obsolete.
• The policy must be sensitive to the need to promote cybersecurity research in India.
• The process to retrieve encrypted data must be transparent and necessarily be backed by a
court warrant from a civil court, obtained through an open judicial hearing.
• The policy should provide guidance on the use of information/ data within the country in a
regulated manner and ensure that our government agencies can access them for investigating
serious issues related to terrorism, national security and critical infrastructure.
• The new policy would need to focus on enterprises such as e-commerce companies to ensure
their encryptions were good enough to secure customer's financial and personal data.
• The policy should prescribe technologies which are globally accepted. It should also talk about

m
revising them from time to time, which is very important as this is a dynamic space.

. c o
WAY FORWARD

i o
It is encouraging to see the government take steps towards securing information. Cybercrime and cyber

sb
terror are real threats and governments need to devise solutions to fight them. The answer lies in
developing the capability to monitor and tackle such threats effectively and in a manner that strikes a

ia
reasonable balance between privacy rights and security concerns.

w .
W w
NATIONAL CENTER OF EXCELLENCE IN TECHNOLOGY FOR INTERNAL SECURITY (NCETIS)

Need: Presently India do not have a center with long term and focused approach to develop
technologies to meet internal security challenges for Police and Paramilitary forces. The NCETIS will act
as national nodal facility, to cater to the requirements of homeland/internal security technology
requirements and technologies for disaster management.

FUNCTIONS:

The NCETIS is expected to work in the electronic technology areas, of homeland/internal security,
specifically for Police and Paramilitary forces and disaster management, covering the broad areas such
as:

o Communication Systems

o Video Surveillance and Analysis

o Ground Penetration Radar (GPR) for Landmine detection

o Unmanned Vehicles

o Cyber and Data Security

o Biometric Applications
 Www.iasbio.com | whatsapp for UPSC NOTES 7091958453

o Handheld Detectors for Explosives, Landmines, Chemical and Biological Warfare o TherApplication

• It will focus on handling modern warfare techniques, enhancing intelligence services and
improving internal security, in the face of rising terror threats.
• It is working on detectors for land mines, cyber security, cryptology, video surveillance, image
processing, monitoring of unmanned vehicles and biometric security.
• It will discuss security gaps with various agencies - such as Mumbai police, CRPF, CISF - and
conduct research to provide the required technology.

Cyber Swachchta Kendra–Botnet Cleaning andMalware Analysis Centre: Minister of Electronics and

m
Information Technology launched the Cyber Swachchta Kendra–Botnet Cleaning and Malware Analysis

o
Centre for analysis of malware and botnets that affect networks and systems.

i o. c
About Cyber Swachchta Kendra

. ia sb
• It is part of Digital India initiative under the Ministry of Electronics and Information Technology
(MeitY).

w
• The systems will be scanned by the Computer Emergency Response Team (CERT-in) for free of

w
all those users who register to the CSK website. (THUS for everyone).
• It will then notify, enable cleaning and secure systems of end-users to prevent further infections

W
• This centre will work in coordination with the internet service providers (ISPs) and Industry.
• This Kendra will also enhance awareness among citizens regarding botnet and malware infection
along withmeasures to be taken to secure their devices.

Botnet: A botnet is a network of computers infectedwith malware without the user's knowledge and
controlled by cybercriminals. They’re typically used to send spam emails, transmit viruses and engage in
other acts of cybercrime.