National Cyber Security Policy 2013 - Possible Changes and Amendments
*This was presented as part of Manthan: Cyber Security Conference organised by FANS Chhattisgarh Chapter at Raipur on July 19, 2018
The borderless nature of the internet makes it difficult to track and prevent cybercriminals specially which involves more than two countries. Communication which has become easier through the internet increases the threat of cybercriminals operating through malware sitting in different time-zones. This becomes crucial considering the Digital India project and emphasis on the cashless transaction which has increased the automation and Internet of Things (IoT) in India leading to increase in the size of the cyber security market. in 2015, India's domestic cyber security market, which was estimated to be nearly USD 1.06 billion.
There is growing concern among nations and Multi-National Corporation to create a global network to ensure cybersecurity, to identify and address the emerging security threats which can wreck havoc considering all critical aspect of nation-state whether finance or defence is heavily dependent on internet-based tools. National Cyber Security Policy has laid the basic of cybersecurity in India but there is need for regular up-dation of policy considering the dynamic nature of cyberspace. The decentralization of cyberspace imagined through Web 3.0 will disrupt the existing structure. India is close to becoming world leader in internet penetration and IoT which logically demands being a global leader for cyber security and as facilitator for adoption of international code of ethics for secure cyber to ensure harmonious relation and to achieve the common goal of development by utilizing the best of the cyberworld.
Key words: Cyber Security, Policy, Cyber crime, National Cyber Security Policy (2013)
Introduction: Little town in Jharkhand’s Jamtara district is often frequented by police from different States: it has emerged as one of the biggest hubs of cybercrime in the country. Records at the Karmatar police station reveal that between April 2015 and March 2017, police teams from 12 different States have visited the station 23 times and arrested around 38 accused. Over 80 cases have been registered suo-motu by the Jamtara district police between July 2014 and July 2017 against 330 residents of the area. At Karmatar police station alone, the number of arrests in 2017 has crossed 100[1].
The financial impact of cyber threat can be gazed through the case of cryptoworm ‘Wannacry’. In May 2017, WannaCry— a ransomware cryptoworm—emerged and spread like wildfire across the Internet. To propagate, it took advantage of a Microsoft Windows security vulnerability called EternalBlue, which was leaked by the hacker group Shadow Brokers in mid-April 2017. WannaCry had earned more than US$143,000 through bitcoin payments at the point the wallets were cashed out. Given the timeline, and calculating accrual of the value on the bitcoin originally paid into the wallets at $93,531, Cisco threat researchers estimate that roughly 312 ransom payments were made. As a comparison, the exploit kit Angler, when it was active, was earning about $100 million per year as a global business[2].
Oxford dictionaries defines Cyber Crime as “Criminal activities carried out by means of computers or the Internet” defining the word in its broader sense representing the true threat. Cyber crimes can be broadly categorized into three categories[3]: Individual crimes targets an individual through cyber stalking, distributing pornography etc. Property, crime against individual or organizations targeted to siphon off money are categorised as property crimes. Government, these crimes are extremely serious in nature and can trigger international crisis referred as cyber terrorism. In this category, criminals hack government websites, military websites to collect sensitive information or to circulate propaganda. Security incidents reported in India during last two years are shown below:
Security Incidents 2016 2017 Phishing 757 552 Network Scanning/Probing 416 9383 Virus/ Malicious Code 13371 9750 Website Defacements 31664 29518 Website Intrusion & Malware Propagation 1483 563 Others 2671 3315 Total 50362 53081 Data Source: Annual Report, CERT-In 2017 & 2018
In 2015, India's domestic cyber security market, was estimated to be nearly USD 1.06 billion, with a growth of 8.2 percent over the previous year. It is projected that the global cyber security market (including services and products) will touch USD 200 billion by 2025, with security expenditure accounting for around 7-8 percent of the total IT spend by 2020[4]. Cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. Today there are more than 1.2 billion websites. There are 3.8 billion Internet users in 2017 (51% of the world’s population of 7 billion), up from 2 billion in 2015. Cybersecurity Ventures predicts that there will be 6 billion Internet users by 2022 (75% of the projected world population of 8 billion) — and more than 7.5 billion Internet users by 2030 (90% of the projected world population of 8.5 billion, 6 years of age and older). Like street crime, which historically grew in relation to population growth, we are witnessing a similar evolution of cybercrime. It’s not just about more sophisticated weaponry, it’s as much about the growing number of human and digital targets[5].
Critical infrastructure is largely owned and operated by the private sector. Some of them are multi-national operating from out of India and not under the control of Government of India. Multiple agencies are involved in securing ICT infrastructure. These include private operators for their respective pieces of the infrastructure[6]. Cryptocurrency and blockchain has created a new dimension to the cyberspace which is a sustainable model outside the control of any nation-state. Web 3.0 as envisaged will lead to decentralization of World Wide Web and will create a powerful disintegrated system without any accountability. Broadband internet along with new technologies such as blockchain, Image processing, Machine Learning etc opened the new areas of cybercrimes[7]. Cryptojacking, Supply chain compromises, Worms. IoT and Cloud based data storage security has increased the impact and instances of data breaches which has started becoming the headlines which will increase in future. The reach of internet is going beyond the fields imagined earlier. IoTs and automation has increased the number of units attached to internet. According to one estimate by the end of 2018 around 11 billion units will be attached to internet. Few statements are mentioned here to understand the growing size of internet[8]:
‘The Big Data Bang’ is an IoT world that will explode from 2 billion objects (smart devices which communicate wirelessly) in 2006 to a projected 200 billion by 2020, according to Intel. Gartner forecasts that more than half a billion wearable devices will be sold worldwide in 2021, up from roughly 310 million in 2017. Wearables includes smart-watches, head-mounted displays, body-worn cameras, Bluetooth headsets, and fitness monitors. ABI has forecasted that more than 20 million connected cars will ship with built-in software-based security technology by 2020 — and Spanish telecom provider Telefonica states by 2020, 90 percent of cars will be online, compared with just 2 percent in 2012.
Cybersecurity Ventures predicts that there will be 6 billion Internet users by 2022, and 7.5 Billion Internet users by 2030. Forecast for Wearable Devices Worldwide 2016-2018 and 2021 (Millions of Units)[9]:
Device 2016 2017 2018 2021 Smartwatch 34.8 41.5 48.2 80.96 Head-mounted display 16.09 22.01 28.28 67.17 Body-worn camera 0.17 1.05 1.59 5.62 Bluetooth headset 128.5 150 168 206 Wristband 34.97 44.1 48.84 63.86 Sports watch 21.23 21.43 21.65 22.31 Other fitness monitor 30.12 30.28 30.97 58.73 Total 265.88 310.37 347.53 504.65
Cyber security as defined by Oxford Dictionary “The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” Cyber security is bunch of techniques of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation. Major areas covered in cyber security are[10] Application Security, Information Security, Disaster recovery and Network Security.
International initiative:
The borderless nature of internet makes it difficult to track and punish criminals specially which involves more than two countries. Communication which has become easier after the internet increases this threat while providing easy collaboration between criminals sitting in different time-zones. There is growing concern among nations and Multi National Corporation to create a global network to identify and address the emerging security threats. Many world leaders and experts have called for better collaborations to ensure cyber security. Leaders like Prime Minister Narendra Modi and Mr Benjamin Netanyahu are more vocal about this. Various new collaborations are emerging around the world. Few important collaborations are:
· EU-US Working Group on Cyber-Security and Cyber-Crime: This Working Group, established at the EU-US Summit in November 2010 is tasked with developing collaborative approaches to a wide range of cyber-security and cyber-crime issues.
· International Watch and Warning Network: The IWWN is a worldwide network of government representatives from fifteen countries in the field of policy and operational execution.
· Global Centre for Cybersecurity: The World Economic Forum (WEF) announced the launch of a new Global Centre for Cybersecurity to "help build a safe and secure global cyberspace". As announced aim of the centre is to establish the "first global platform" for governments, businesses, experts and law enforcement agencies to collaborate on cybersecurity challenges.
· European Network and Information Security Agency: The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. The Agency is located in Greece with its seat in Heraklion Crete and an operational office in Athens.
· UNODC: UNODC is a wing of United Nations and leader in the fight against illicit drugs and international crime. Cybercrime is one of the mandate of UNODC. It promotes long-term and sustainable capacity building in the fight against cybercrime through supporting national structures and action. Specifically, UNODC draws upon its specialized expertise on criminal justice systems response to provide technical assistance in capacity building, prevention and awareness raising, international cooperation, and data collection, research and analysis on cybercrime.
· Some other noteworthy institutions working at global level for internet security are listed below[11]:
Institutions Role Data Availability Example variables
AP-CERT Asian regional coordination High Collation of security
CERT/CC Coordination of global Moderate Vulnerabilities
especially national CERTs hotline calls received,
advisories and alerts published,
ITU Sponsors IMPACT, Moderate Internet usage
Global Cybersecurity index and
a Global Cybersecurity Index
promote information exchange
The SANS Internet's early warning Moderate Publishes webcasts on
Institute system threats,
tools to improve security,
Center for Provides resources to Low Publishes annual reports,
Internet enhance the intelligence advisories;
Security cyber security hosts MS-ISAC
Internet Security Awareness on Moderate promotes information
Alliance cyber security sharing,
CSA Awareness of Low Educational opportunities
Cloud Security best practices and
secondary data from working
Ponemon Research on privacy, Moderate Publishes
Institute data protection research studies
International Specializes in Moderate Graphs of
Computer antivirus and which countries
Security anti-spam sent the
Existing Indian response structure:
According to National Cyber Security Policy, 2013 the basis of our approach to cyber security is “The protection of information infrastructure and preservation of the confidentiality, integrity and availability of information in cyberspace is the essence of a secure cyber space”[12]. In India, the initiatives taken by the Government so far have focused on the issues such as cyber security threat perceptions, threats to critical information infrastructure and national Security, protection of critical information infrastructure, adoption of relevant security technologies, enabling legal processes, mechanisms for security compliance and enforcement, Information Security awareness, training and research[13].
In the light of the growth of IT sector in the country, ambitious plans for rapid social transformation & inclusive growth and India’s prominent role in the IT global market, providing right kind of focus for creating secure computing environment and adequate trust & confidence in electronic transactions, software, services, devices and networks, has become one of the compelling priorities for the country. Such a focus enables creation of a suitable cyber security eco-system in the country, in tune with globally networked environment[14].
A Computer Emergency Response Team –India (CERT-In) has been set up and is operational as the national agency for cyber incidents. It operates a 24x7 Incident Response Help Desk to help users in responding to cyber security incidents. It has been issuing regular alerts on cyber security threats and advises countermeasures to prevent attacks. CERT-In has established linkages with international CERTs and security agencies to facilitate exchange of information on latest cyber security threats and international best practices[15].
In to serve as the national agency to perform the following functions in the area of cyber security[16]:
· Collection, analysis and dissemination of information on cyber incidents
· Forecast and alerts of cyber security incidents
· Emergency measures for handling cyber security incidents
· Coordination of cyber incident response activities
· Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
· Such other functions relating to cyber security as may be prescribed
It is a welcome step that the Narendra Modi government has created a cybersecurity chief’s position under the Prime Minister’s Office[17] which shows the recognition of importance of the cybersecurity. In addition, Government of India has encouraged the Involvement of private sector in cyber security and thus has kept NASSCOM in loop. NASSCOM, a not-for-profit industry association, is the apex body for the 154billion dollar Indian IT BPM industry[18]. NASSOM has established Data Security Council of India (DSCI), a not-for-profit, industry body on data protection in India, committed to making the cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy. To further its objectives, DSCI engages with governments and their agencies, regulators, industry sectors, industry associations and think tanks for policy advocacy, thought leadership, capacity building and outreach activities[19].
Issues with national Cyber Security Policy 2013:
The 2013 Policy explains the broad principles of how India can approach cyber security. However, the government of India needs an updated policy to move beyond simply a statement of principles and outline how to operationalize cyber security, from training cybersecurity personnel, to establishing public-private partnerships, and to facilitating civil-military collaboration[20].
One troubling aspect of the Policy is its ambiguous language with respect to acquisition policies and supply chain security in general[21]. It mentions about procuring trustworthy ICT products and indigenously manufactured product[22] but it is completely silent on the part of imported products which forms major part of ICT.
Policy runs afoul of a common pitfall: conflating threats to the state or society writ large (e.g. cyber warfare, cyber espionage, cyber terrorism) with threats to businesses and individuals (e.g. fraud, identity theft). Although both sets of threats may be fairly described as cyber security threats, only the former is worthy of the term national cyber security. The latter would be better characterized as cyber crime. The distinction is an important one, lest cyber crime be “securitized,” or elevated to an issue of national security. To ensure security with privacy the proposed privacy safeguards must be clarified and ideally backed by a separate piece of privacy legislation[23].
In modern warfare National defence and Information Technology intersect each other, often referred as cyber warfare. National Cyber Security Policy, 2013 is completely silent about the threat emerging from foreign soil related to national defence. There are broadly two intersections between national security and information technology; these are: (i) the security of networked communications used by the armed forces and intelligence services, and (ii) the storage of civil information of national importance. An intensive use of information technology to create networks of information aids situational awareness and enables collaboration to bestow an advantage in combat. Pre-empting such attacks should be a primary policy concern; not so, apparently, for the NCSP which is completely silent on this issue. The NCSP is slightly more forthcoming on the protection of critical information infrastructure of a civil nature such as the national power grid or the Aadhar database[24].
Indian data protection law is behind the international curve. The country’s data protection laws largely consist of a) statutory provision for payment of compensation for failure to protect sensitive personal information; and b) criminal provision for disclosure of personal information without the data subject’s consent or in breach of a contract. However, both provisions apply only if a wrongful gain or loss results from the disclosure or breach. Government-prescribed rules on privacy apply only if the parties have not agreed to their own security standards and, even if they do apply, the only consequence of non-compliance would be payment of compensation if the breach results in wrongful gain or loss[25].
The Policy covers many of the most pressing issues in national cyber security and lays out a number of ambitious goals under thirteen different categories but required to be followed by a detailed roadmap to realize the goals. Organizations are encouraged to develop their own information security policies integrated with their business plans by the policy but there is no mention of approach to converge all these polices to create a secured network.
Cyber Security is an approach to ensure peaceful use of cyber space. The continuous and dynamic nature of threat at cyber space requires a strategy backed by legal structure. The Strategy document has become international norms providing detailed implementation plan to ensure cyber security. The strategy document should be dynamic short-term and to be revised continuously considering the introduction of new technologies. Cybersecurity standards should be part of strategy document and should be defined by expert committee of industry experts which should be adopted by everyone in India whether private or government agencies. One regulatory agency should be created as national nodal agency to ensure adoption of prescribed security measures by stakeholders. Provision of online reporting of all cybercrime through a common platform from across the country should be encouraged. Considering the borderless nature of cyberspace, a cybercrime department operating at national level should be encouraged. In India there is need to replace current National Cyber Security policy with a Parliamentary Act followed by a national cyber security strategy document. The act will provide a legal status to the cybersecurity recognizing its importance.
Waldron, S. (2017, April 6). Experts Call for International Collaboration on Cybersecurity Issues. Retrieved June 28, 2018, from www.aaas.org: https://www.aaas.org/news/experts-call-international-collaboration-cybersecurity-issues
Australia, C. (n.d.). International collaboration. Retrieved June 27, 2018, from www.cert.gov.au: https://www.cert.gov.au/ci-big-business/what-we-do/international-collaboration
Hasan, M. (2016, November 13). International Cyber Security Cooperation. Retrieved June 25, 2018, from Modern Diplmacy: https://moderndiplomacy.eu/2016/11/13/international-cyber-security-cooperation/
Zago, M. G. (2018, January 31). Why the Web 3.0 Matters and you should know about it. Retrieved June 25, 2018, from medium.com: https://medium.com/@matteozago/why-the-web-3-0-matters-and-you-should-know-about-it-a5851d63c949
Encheva, D. (2016, July 20). India’s National Cyber Security Policy in Review. Retrieved June 26, 2018, from Kenes Exhibition: http://kenes-exhibitions.com/cybersecurity/blog/indias-national-cyber-security-policy-review/
U.S. DEPARTMENT OF HOMELAND SECURITY. (2018). CYBERSECURITY STRATEGY .
Ministry of Science, Technology and Innovation of Malayasia. The National Cyber Security Policy.
Group, S. A. (2017). Recommendations for International Cooperation in Security Research Report of the Horizon 2020 Protection and Security Advisory Group (PASAG) Abstract 1 . International Cooperation in Security Research, (July), 1–15.
Public Safety Canada. (2018). National Cyber Security Strategy Canada’s Vision for Security and Prosperity in the Digital Age. National Cyber Security Strategy. Retrieved from https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/ntnl-cbr-scrt-strtg-en.pdf
Kroes, N. (2011). Cyber security : EU and US strengthen transatlantic cooperation in face of mounting global cyber- security and cyber-crime threats, (April).
Minsitry of Law, J. and C. affairs. (2000). Information Technology Act, 1–13. Retrieved from http://www.dot.gov.in/sites/default/files/itbill2000_0.pdf
Information Security Policy Council. (2013). International Strategy on Cybersecurity Cooperation - j-initiative for Cybersecurity -. Information Security Policy Council Japan.
Ministry of Electronics & Information Techonology. (n.d.). XII Five year plan on Information technology sector-Report of Sub-Group on Cyber Security.
India Department of Electronics and Information Technology. (2013). National Cyber Security Policy -2013. Ministry of Communications & IT Online, (5), 1–9. Retrieved from http://deity.gov.in/sites/upload_files/dit/files/National_cyber_security_policy-2013(1).pdf
[1] http://www.thehindu.com/news/national/other-states/the-cyber-con-artists-of-jamtara/article19476173.ece
[2] Cisco Annual Report, 2018: The attack landscape
[3] http://www.crossdomainsolutions.com/cyber-crime/ (Retrieved on June 28, 2018)
[4] NEWSLINE, August 2016, Nasscom
[5] https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ (Retrieved on June 26, 2018)
[6] https://www.dsci.in/content/cyber-security-challenges
[7] https://www.itgovernance.co.uk/blog/what-are-the-future-threats-in-cyber-security/ (Retrieved on June 28, 2018)
[8] https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ (Retrieved on June 21, 2018)
[9] https://www.gartner.com/newsroom/id/3790965 (Retrieved on June 29, 2018)
[10] https://economictimes.indiatimes.com/definition/cyber-security (Retrieved on June 28, 2018)
[11] Institutions for Cyber Security: International Responses and Data Sharing Initiatives; Nazli Choucri , Stuart Madnick , Priscilla Koepke Working Paper CISL# 2016-10 August, 2016
[12] National Cyber Security Policy -2013
[13] XII five-year plan on information technology sector “Report of Sub-Group on Cyber Security”
[14] Preamble, National Cyber Security Policy -2013
[16] Annual Report (2017) Indian Computer Emergency Response Team (CERT-In); Ministry of Electronics & Information Technology; Government of India
[17] https://www.dsci.in/content/gulshan-rai-becomes-first-chief-cyber-security-post-created-tackle-growing-e-threats-0 (Retrieved on June 29, 2018)
[18] http://www.nasscom.in/
[19] https://www.dsci.in/
[20] https://thediplomat.com/2017/10/its-time-for-india-to-update-its-cybersecurity-policy/
[21] http://kenes-exhibitions.com/cybersecurity/blog/indias-national-cyber-security-policy-review/
[22] Para 8, Sub Section ‘A’ of Section IV, National Cyber Security Policy, 2013
[23] https://cis-india.org/internet-governance/blog/indias-national-cyber-security-policy-in-review
[24] https://cis-india.org/internet-governance/blog/orfonline-bhairav-acharya-observer-research-foundation-cyber-security-monitor-august-2013-nsp-not-a-real-policy
[25] https://www.lexology.com/library/detail.aspx?g=e7b6cb3b-f534-45ba-b1fb-86d7ed39e558 (Retrieved on July 5, 2018)