But the National Cyber Security Policy, 2013, is short on detail
Cyberspace is a new global commons, albeit of a different kind. It is man-made, with infrastructure the information and communications technology (ICT) that is owned by different countries, but is part of the cyber commons. Cyber attacks against the infrastructure of any country can come from anywhere in the world, with tracks that can be successfully hidden. No wonder the global cyber commons requires international cooperation to identify cyber attackers. Nations need to protect their respective cyber boundaries, even though cyber space is borderless. This is done through appropriate instruments, including policies, legislation, security programmes, awareness and training. The launch of the National Cyber Security Policy (NCSP), 2013, is a welcome step.
The government has taken several steps to enhance cyber security in the country. The first major step was the setting up of the Indian Computer Emergency Response Team (CERT-In) in 2002-03, to create awareness on cyber threats, understand vulnerabilities and devise ways to mitigate them. The National Technical Research Organisation (NTRO) was given the responsibility of protecting the critical information infrastructure (CII), and of developing offensive capability. The latter has done precious little.
The Information Technology Act, as amended in 2008, has raised the level of awareness about cyber crimes. It has identified many kinds of cyber attacks, including unauthorised access, spreading virus and spam, identity theft, voyeurism, bodily privacy compromise and cyber terrorism. It helps prosecute cyber criminals. But a comprehensive national cyber security strategy that empowers different agencies with coordination at the highest level is essential to secure India’s cyberspace. The NCSP articulates a broad policy structure.
A sound cyber security strategy should be based on a strong coordination mechanism that can lead the nation in awareness, education security standards and their effective implementation, confirmed through independent audits, as well as information sharing on threats and vulnerabilities, incident management, technology and practices development led by the private sector and clarity on the role of different government agencies. The NCSP takes a holistic view of the challenges and details strategies to address them. The policy presents a complete ecosystem for a secure computing environment, keeping in view the latest developments in other countries. The challenge, however, is implementing the policy and defining the specifics.