Is India’s cyber policy all words and no action?

The Indian government is trying to strengthen cyber security with the new cyber policy, but little is yet understood about how the ambitious proposals will be put in place

The Indian government is trying to strengthen cyber security with its new cyber policy, but little is yet understood about how the ambitious proposals will be put in place.

Online security in India is vital as the government and businesses attempt to introduce services to citizens online and via mobile channels. The country’s IT service providers will also benefit from a more secure reputation when global customers consider their services.

The National Cyber Security Policy seems to be incomplete as a final draft, as it is not accompanied by a national cyber security action plan document or any guidelines

Manatosh Das, Forrester

The National Cyber Security Policy Notification, released in July, said: “In the light of the growth of the IT sector in [India], ambitious plans for rapid social transformation and inclusion growth, and India’s prominent role in the IT global market, providing the right kind of focus for creating a secure computing environment and adequate trust and confidence in electronic transactions, software, services, devices and networks has become one of the compelling priorities for the country.”

Policy needs an implementation plan

The notification details the government’s ambitious plans. But despite the concerted effort by government to address concerns, the policy so far does little to explain how it will be implemented.

Ashish Thapar, head of global consulting and integration services at Verizon India, said the cyber security policy lays out "what we would like to do but does not cover the implementation part”. He said a strong mandate should come from the government to the states.

Manatosh Das, senior analyst, security and risk, at Forrester, added that the policy is merely a collation of policy statements and lofty objectives – but without any definitive action plan. 

“It seems to be incomplete as a final draft, as it is not accompanied by a national cyber security action plan document or any guidelines. There are no clearly defined parameters for the effective implementation of the policy," he said.

Das said the notification means nothing on its own. He added that even though the IT Amendment Act 2008 was announced a few years back, there is no sign of implementation, indicating the lack of a strong regulatory framework for cyber security.

According to the Computer Emergency Response Team – India (CERT-In), an estimated 14,392 websites in the country were hacked in 2012. Das said there are not enough security solutions in place, at corporate or government level, even as the attacks get bolder.

Investing in security expertise 

India’s cyber security faces myriad problems due to a lack of awareness at both individual and institutional levels. 

“There is a lack of trained and qualified information security professionals for handling sophisticated attacks and understand the dynamics of cyber security,” said Das.

This lack of experts is not lost on India's business and public sectors. Tata Consultancy Services (TCS) and the Foreign & Commonwealth Office (FCO) of the UK government recently launched a cyber security and public policy education program for Indian professionals.

Benefits of the policy

On paper, the policy has a number of positive announcements, including fiscal benefit to businesses for adopting standard practices, as well as mandating organizations to earmark a budget for security initiatives. 

It emphasizes the need to create a workforce of 500,000 security professionals in the next five years through skills development and training programs, providing more opportunities for professionals.

Even without the new policy, business necessity is driving security investments.

On paper, the policy has a number of positive announcements, including fiscal benefit to businesses for adopting standard practices, as well as mandating organizations to earmark a budget for security initiatives

“My experience is that companies are maturing from antivirus to vital requirements such as data loss prevention (DLP) and security information and event management technologies. In other words, firms are seeking comprehensive security assessment,” said Verizon's Thapar.

A growing mobile threat

The growth of mobile phone use in India presents specific challenges to its cyber security. Large businesses in India, such as banks, are already focused on securing mobile transactions because they are critical to growth.

“Smartphones are intelligent devices and can match the high-end computing devices. They are easy targets for someone who wants to access them,” said Thapar. He added that botnets and phishing are increasingly being used by hackers for large attacks.

Forrester's Das does not think corporate networks can handle sophisticated, targeted and advanced persistent threats (APTs) arising from mobile devices in the workplace. One of the most challenging tasks is to manage different operating systems on mobile devices.

“It’s difficult to address the security requirements for a vast range of mobile platforms. This increases the overall security exposure for the organization. Besides this, Employees' use of unsecured internet connections on smart mobile devices for personal use can infect the end point, which in turn can pose a threat to the corporate network,” said Das.

Read more on Security policy and user awareness