The Centre is readying a National Cyber Security Strategy (NCSS) amidst reports of Chinese involvement in a blackout in Mumbai last year and one in Telangana that was narrowly averted.
The NCSS case, currently with the Union Cabinet, aims to ensure cyber awareness, safety through cyber audits, preventive measures, action during cyberattacks and remedial measures. The NCSS aims to plug loopholes in cyber laws, last updated in 2008.
The NCSS aims to improve cyber awareness and cybersecurity through more stringent audits. Empanelled cyber auditors will look more carefully at the security features of organisations than are legally necessary now. There will be table-top cyber crisis management exercises regularly to reinforce the idea that such attacks can take place regularly.
The NCSS will outline what has to be done while a cyber attack is going on. There is a clear recommendation about digital forensics, about the need to collect digital evidence and how to do it. The “chain of custody” will also be outlined.
The NCSS looks at remedies. This involves taking the malware out of the system, after finding it and going ahead with the most difficult task: finding out the origin of the attack. Identification of the ‘cyber kill chain’ is most difficult as attackers go through four or five hops and only the last IP address is easily identifiable. There will be references to PDP or personal data privacy. At present, Parliament is working on a PDP Bill.
There is a need for an apex body to ensure operational coordination amongst various agencies and ministries. At this point, there is the Computer Emergency Response Team or CERT, but the home ministry looks at cybercrime, the external affairs ministry looks after cyber diplomacy and there is a defence cyber agency, headed by a naval officer, a rear admiral. The apex body will ensure coordination: in most cases, all over the world, it comes under the prime minister or the national security adviser.
The NCSS is necessary, highly placed government sources said, as the cyber situation is vastly different from 2013 when the policy was unveiled. Threats have increased and issues like cryptocurrency, ransomware and artificial intelligence barely existed then.
The 2013 policy did not look at an action plan. Nor did consider funding, a crucial issue. This is why there have been crucial failings. For instance, the 2013 policy speaks of having 500,000 cyber skilled personnel by 2018. There are at best just over 100,000 today. The quality of the personnel is variable.