Monday, November 5, 2012

Cyber Security Capabilities Of India

Maintaining cyber security at the international level is a tedious task. This is so because cyberspace does not recognises any boundary and cyber attacks can be launched from any part of the world. While cyber attacks upon various computer systems and computer resources are cause of concern yet cyber attacks upon critical infrastructures is of grave concern.

Cyber security in India is at initial stage. Even the information technology act, 2000 (IT Act 2000), which is the sole cyber law of India, does not address the cyber crimes and cyber security issues effectively. We have no dedicated cyber security laws in India and we urgently need a dedicated cyber security legal framework in India.

Meanwhile, India is increasingly facing cyber attacks and cyber threats from foreign nationals. In fact, the cyber laws and cyber security trends of India 2011 by Perry4Law and Perry4Law Techno Legal Base (PTLB) has clearly showed the cyber security vulnerabilities of India. Cyber terrorism against India, cyber warfare against India, cyber espionage against India and cyber attacks against India have already increased a lot. Even the cyber law trends of India 2012 by PTLB have also projected an increased rate of cyber crimes in India and cyber attacks against India in the year 2012.

The biggest cyber threat against India is originating in the form of cyber attacks upon Indian critical infrastructures. Critical infrastructure protection in India requires a well formulated policy. Presently we have no critical infrastructure protection policy of India. Further, critical ICT infrastructure protection in India is one area that requires special attention of Indian government.

Fortunately, Indian government has decided to streamline cyber security of India. The Indian government is in the process of finalising an elaborate plan to strengthen India's cyber security capabilities. A national critical information infrastructure protection centre (NCIPC) of India has also been proposed by Indian government. It intends to ensure critical infrastructure protection and critical ICT infrastructure protection in India.

There are few prerequisites that can make the NCIPC of India successful. Firstly, there must be a centralised ICT command centre of India that can coordinate various cyber security issues. Secondly, specialised agencies and authorities must be constituted for critical infrastructure areas like power, telecom, defense, aviation, etc. These agencies and authorities must coordinate with the centralised command centre for cyber security related issues.

Ministry of communication and information technology (MCIT) has already taken certain initiatives in this regard. For instance, a central monitoring system (CMS) project of India has been launched by MCIT to monitor and intercept electronic communications, messages and information. Further, a national telecom network security coordination board (NTNSCB) of India has also been proposed to strengthen the national telecom security of India.

Now Indian government is planning to step up cyber security protection levels, putting in place real time command-and-control centers and delineating responsibilities among various agencies.

Among the proposals are establishment of dedicated command-and-control centers in India to monitor critical infrastructure in real time, constituting computer emergency response teams (CERTs) for key sectors such as power, aviations, etc and formulation of elaborate protocols for all stakeholders involved in the process of ensuring cyber security in India.

The Cabinet Committee on Security (CS) may approve in a few weeks the multi-layered security plans to protect India's critical infrastructure. The national security advisor (NSA) and the cabinet secretary are working on the final plan.

There would be a clear demarcation of responsibilities between Computer Emergency Response Team-India (CERT-In), National Technical Research Organisation (NTRO), Intelligence Bureau (IB), Military Intelligence (MI) and other agencies that have a role in fighting cyber intrusions. Protocols would be formulated to ensure that there is no overlap between the functions and obligations of various agencies fighting cyber attacks against India. The proposed protocol will also cover department of telecom, department of information technology, National Informatics Centre etc.

Under the proposal, the government will also regularly and proactively monitor and scan critical networks. Not just that, the levels of security for these networks will also be stepped up. CERT-In may also be creating its own real time monitoring centre to strengthen it cyber security initiatives. The responsibility for monitoring critical infrastructure will be divided between NCIPC and CERT-In. The government will also set up dedicated CERT for critical sectors such as power, aviation etc where no such national monitoring mechanism exists.

This is a good step in the right direction and Perry4law and PTLB welcome this move. We also hope that with this the cyber security capabilities of India would be upgraded to the required levels.

Source: ICTPS Blog