Cyber security has become an integral aspect of national security. Its area of influence extends far beyond military domains to cover all aspects of a nation’s governance, institutions, and business establishments; in effect, every citizen who walks the streets. The author defines its overwhelming possible damage to a targeted nation and its populace and analyses our preparedness status.
National security today is far more comprehensive than understood in its narrow military terms. There are more players in its architecture now than what existed 20 years ago. The existence of two major fault lines in our current system has contributed to slow development in the understanding of national security interests and objectives. The first refers to our institutions of governance which are based on sector-specific knowledge and management systems and these are unable to collaborate in delivering multi-disciplinary and multi-sectoral responses to evolving national or international situations. The second is the inability or failure to increase salience across the spectrum, which is not amenable to national and regional situations referred above. It’s an opportune moment to end the “silo” mentality and create trans-sectoral synergies in all areas of activities.
The need for a competent cyber security infrastructure as part of the national security policy cannot be overemphasized. The Kargil Review Committee (KRC), India’s first-ever political review of national security management, laid the foundation and brought to the table several areas of concern, future threats and rightly identified cyberspace as a main challenge.
The National Cyber Security Policy (2013) (NCSP) was a major step in the direction to prepare India to address the threats and challenges in cyberspace. Its recommendations were comprehensive and designed to be covered over a period of 10 years. There is a considerable gap in its vision and results. The proposed policy will no doubt examine the shortcomings of its predecessor and also create solutions for the future. Fortunately, the National Telecom Policy – 2013 (NTP-2013) came at the right time so as to create a road map and its successor NTP-2018 aids in progressing in the right direction. Both NSCP and NTP will have to effectively coalesce to make a comprehensive policy for 2030.
The challenges today are many such as growing Chinese influence in Indian telecom space, threats from other inimical institutions both inside and outside the country, a social media that is becoming a powerful tool for dissemination of “information” making it difficult to sift fact from fiction, fake news, disinformation and misinformation and daily attacks on critical information infrastructure. There are other vulnerabilities that need to flagged and acted upon.
In my professional view, the following three should be considered for next NCSP:
- Create Awareness
India has to create awareness about the perils existing in cyberspace and that not a single person or institution is immune to it. Today, there are three branches of society namely the Government, Corporate and Civil society that rely on digital communication for a variety of purposes. Creation of Awareness is, therefore, the first line of defence. More needs to be done to create awareness within the government, corporate world and civil society. It cannot be a top-down activity but a bottom-up methodology. While government and the corporate world are better placed perhaps to create their own programs, it is the civil society at large comprising of housewives, small-time businesses, self-employed entrepreneurs, student community and others who need to bring into this ambit. Government and corporates should help bridge this gap as a major responsibility.
Even in the government and corporate world, there is a major and urgent need to create awareness not only of cybersecurity but also national security.
There is a compelling case for the study of national security in all government institutions and cyber security must remain at its centre at all times. Each ministry/department will, therefore, need to create specific verticals for this purpose to educate lower bureaucracy and middle-level managers on the subject. This, importantly, has to be done at entry levels.
Further, in the case of the corporate sector and allied business activity, the government should advise them to create cyber security cells to manage digital security/information security. This is important as more and more private sector research and technology is being inducted into the government sector, therefore, calling for better safety and security. A large firm with over 5000 crore turnover having dealings with the government should have a full-time CISO and dedicated personnel. Lesser enterprises too should look for the creation of cells for the purpose. The Ministry of Corporate Affairs, Ministry of Skill Development, Ministry of Communications and Ministry of Commerce should be nodal agencies to help create the necessary infrastructure with the assistance of Indian technology leaders.
State governments are first responders to any threat to public safety, security and stability. This responsibility is executed through the State Police forces. Why only the State Police Forces? The other departments of the state governments also require to be made aware of the threats and challenges. The threats from cyber space also must attract the attention of state governments. The need for cyber awareness must become important in this sector, as well.
Awareness is necessary for the banking sector, stock exchanges, financial institutions, manufacturing sector and others relying heavily on digital communications.
India’s public sector broadcasters should be drawn into efforts to give wide publicity to cyber threats and advise to the layman on observing cyber hygiene. This campaign should be undertaken by Prasar Bharati and its major platforms Doordarshan and All India Radio. Private media houses too must undertake this exercise as a corporate social responsibility.
The NSCP-2013 had set a target of 500,000 “Cyber foot soldiers” to meet national requirements. The estimates are now in the region of three million and growing. In addition, there is a growing demand for professionals in Artificial Intelligence (AI), Block Chain Technology (BCT), Internet of Things (IoT) and Machine Learning (ML). The Indian military, central police organizations, law enforcement agencies and others are deficient in manpower, for software and hardware aspects integral to this field. The status of the state governments, central and state public sector undertakings and private sector is equally worrisome.
Educational institutions including central universities, private universities, industry associations, Industrial Training Institutes (ITIs) – both central and state government-owned – should become first responders in the field of education and also integral in providing training, either at degree level or professional certification.
IITs (Indian Institute of Technology) are ideally suited as they are spread across the country. A change in curriculum, both theory and practicals, is necessary. ITIs are in both the government and corporate sectors.
The demands for professionals in AI, BCT, IoT, ML, Data analysis, and Forensics have to be addressed urgently in varied fields and sector-wise. A study will needs to be done to determine the requirement sector-wise.
The challenge today is on capacity development and skills development, whether in-house or otherwise.
Another niche area that awaits attention is Cryptography.
The watch word for any sensitive organization that exists in the security space will have to be to Deter, Detect, Destroy and Document all attempts towards subversion, espionage and sabotage, before and as they unfold. This is equally true of the digital world. The watch word here is to develop self-reliance and come up with systems that are safe, secure and strong enough to withstand foreign interventions.
In this connection, the following may be relevant:
- Create opportunities for developing software to safeguard cyber security and digital communications. Government of India may consider including this in its “Make In India” programme.
- Create suitable hardware on a Unique Indian pattern that can serve government and private entities
- Develop software, hardware and human competence for Cryptosystems and its induction gradually in tiered platforms.
- Develop indigenous technology to meet our requirements, and
- Create higher institutions of excellence that will serve as hubs for research and development.
By Pratap Heblikar
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of BharatShakti.in)