On Monday, national security adviser (NSA) Shiv Shankar Menon released the report of the joint working group (JWG) on cyber security. The group had been formed in July this year with private sector stakeholders. Representatives from industry along with government officials constituted five sub-groups to study specific areas that required intervention. Although the JWG was an overdue exercise considering the frequency and sophistication of cyber attacks in the country and across the world, the fast pace at which the report was issued is laudable and highlights the nature of this rather ignored aspect of national security. Its importance is underscored by the fact that the effort had the endorsement at the highest levels of the government and had the encouragement of the Prime Minister, who had referred to its necessity in his address to police chiefs last month.
Although cyber security needs in India have been realized for a while now, it has mostly been a reactive effort with modest acceptance of attacks on networks, including sensitive ones. However, the constant attempts and probes from foreign networks and, significantly, the Stuxnet attacks in July 2010 where more than 6,000 computers were affected in India by this sophisticated worm and the attacks on the website of the Central Bureau of Investigation in December 2010 led to the much needed thrust. While CERT India and the National Technical Research Organisation were projected as the institutions to deal with cyber security issues, these organizations were simply inadequate to address the extent of the problem and the changing nature of the menace. Similarly, the efforts to have sectoral cyber security officers and coordinate through the office of the deputy national security adviser—who coordinates all cyber security related matters in the country—didn’t produce the optimum structure.
The missing element was the participation of the private sector which was responsible for almost the complete technical infrastructure that facilitated the operation of Internet services in the country. However, most of the elements that have been used to build this infrastructure rested with foreign companies—software from western countries and hardware from Chinese and Taiwanese manufacturers. Indian IT giants undertook most of the system integration roles and project management with some exceptional roles for local made encryption either fostered through the Defence Research and Development Organisation or the Department of Electronics and Information Technology. Resultantly, capacity building in all the three areas of software development, hardware manufacturing and integration competency was essential if India had to move forward in this area. As market forces and the maturity levels that they perform dominate these sectors, nothing significant has still happened in India despite attempts to foster a competitive hardware and software domestic industry. The point is how to harmonize the existing framework with the need for building national level competence in these sensitive sectors. It is naive to think that India can create this infrastructure in future by solely relying on its products and system integration capabilities. This is where the JWG recommendations are useful. The report highlights the need for institutional mechanisms to promote optimal participation of private and public sectors. It has suggested a permanent mechanism for such involvement whereby capacity building, the legal framework and policy support can foster public-private partnership in cyber security. The ultimate vision for such capacity building is to establish India as a global hub for development of cyber security products, services and manpower. Besides capacity building, the report has laid out a roadmap for institutional framework, security standards and audit and testing and certification. India’s global participation in cyber security efforts has also been a focus area of this effort. The plan for implementing these recommendations will be undertaken by a permanent JWG and, hopefully, it will include different shades of opinion, something that will prove useful to this effort.
As a first step, four pilot projects have been identified to start this partnership. These include the setting up of a pilot testing lab; the conducting of a test audit; a study to understand vulnerabilities in a sample critical information infrastructure; and the establishment of a multi-disciplinary centre of excellence (CoE). Security audits have, so far, been conducted by the private sector and testing tools have also been shared, but what needs to be done is to standardize them and optimally use the resources that could be worked through this CoE. One issue that has been missed is to factor in the “sanitization” of human resources for cyber security purposes. Individuals and institutions have to be certified so that they can work in trusted networks for dedicated research and development in this area and also in operational matters. This will also ensure real collaboration that has, so far, missed the mark due to a trust deficit between different partners.
While many of these recommendations have also been suggested in the draft national cyber security plan that was notified last year, the key point is the cohesive functioning of the permanent JWG and the implementation of these recommendations.
Subimal Bhattacharjee heads a multinational defence corporation of India and writes on issues of cyberspace and security.
Comment at email@example.com