IIndia’s impressive progress in digitization is certainly revolutionizing how citizens and other state institutions conduct their affairs. But the country’s growing reliance on cyberspace has exposed the promises and dangers of an ancient strategic lore—increased reliance can also mean greater vulnerability.
India’s vulnerability in the cyber domain has long been recognized as an issue of national security. In 2013, a National Cyber Security Policy was issued, which recognized the complexity and dynamic nature of cyberspace, and the need to integrate actions guided by a unified vision and a set of consistent and coordinated strategies. As a result, the last decade has seen the implementation of a fair number of progressive measures to combat cyber threats. But India’s ability to tackle cyber security is outpaced by the sheer scale and pace of its digitisation, confounded by the complex character of the accompanying threats. It challenges our ability to take integrated action, develop strategies and implement them effectively.
This weakness has given rise to two areas of concern: political-strategic guidance, and the consequences that arise due to India’s federal nature.
Cyber Security Strategy: Major Incidents
A National Cyber Security Strategy should have immediately followed the National Cyber Security Policy of 2013 to transform the ‘what to do’ into the ‘how to do’. This was achieved by setting out policy-derived targets, identifying objectives and developing a strategy informed by available resources. However, it took seven years to prepare a draft strategy document, which was later circulated among stakeholders for comments. Yet, after more than two years, the strategy approved by the government is still awaited. Some insiders claim that important elements of the draft strategy are being followed. However, considering the multiplicity and diversity of stakeholders involved, a unified vision required to shape coordinated implementation of cyber security strategy has become the main casualty.
In the absence of coordinated implementation, a wide gap has arisen in the preparedness of different sectors of the cyber ecosystem. The Reserve Bank of India (RBI) has reportedly made impressive progress in the financial sector, while many other industries, such as health, power and energy – digitized public services, to name a few – are still laggards. Due to the interconnected nature of the system, this situation opens up vulnerabilities even in parts of the system that might be better prepared.
Structurally, the main executive body of this draft strategy is the Indian Computer Emergency Response Team (CERT-In), which was set up in 2009 and is responsible for responding to cyber incidents. Then, we have the National Critical Information Infrastructure Protection Center (NCIIPC), which was created in 2014 to protect critical infrastructure like power, banking and telecommunications. Both the organizations derive their legal authority from the Information Technology Act and issue detailed instructions to all concerned entities.
The main problem is that directives are implemented differently by different stakeholders. The problem is most acute in the case of state governments, where economic constraints coupled with apathy and unfulfilled expectations of financial assistance from the central government are the main constraints. The problem is more acute in states ruled by the Bharatiya Janata Party, as the directives are often seen as being implemented by the Centre. Therefore, cyber security has become another vector that fuels the perennial rivalry between the Center and the States.
Read also: Agneepath plan is the key to a strong army. The only hurdle is the selection process
Cyber security And CEntry-Stet ties
A state like Karnataka has around 100 apps that provide public services. These apps host immense data, which can be harvested by hostile forces apart from being used as gateways for other hostile activities., Monitoring of cyber security guidelines related to creation of apps and periodic audits is particularly weak in most states. Even at the state level, each ministry and department carries out its functions mostly as an independent body. This reflects a lack of oversight and treats cyber security as a low priority area.
Overall, there is a lot of room for improvement in the cyber security mechanism of state-level institutions. Take, for example, the corporate entities responsible for the distribution of electricity. Cyber security measures require continuous financial outlay, thus creating a constant conflict between the state government and the distribution companies or discoms. Discoms, already financially strapped, expect the state to provide finance to implement directives emanating from the National Critical Information Infrastructure Protection Center (NCIIPC) or the state itself.
Most states are financially strained and have too many competing demands on their budgets to give cyber security any meaningful priority. So, they ask for funds from the Centre, which often do not come. The overall effect is that cyber vulnerabilities remain in critical infrastructure and other areas.
Read also: The US-China Balloon War points to a troubling polarization. But India can help ease tensions
need one apex level executive body
What is evident from the results of the centre-state tussle is the absence of an apex body responsible for the execution of strategies developed by central institutions such as the National Security Council Secretariat (NSCS). Institutions such as the NSCS are accountable for both policy and national strategy and fall within the duties of the National Security Agency (NSA).
Most of the execution rests with the Ministry of Electronics and Information Technology (MeitY) and its nodal IT agency, the National Informatics Center (NIC). This has further been extended to the Ministry of Home Affairs and the Cyber Department of the Armed Forces, where distinct and ministry-specific priorities determine the what/how/when of key cyber security functions. Intelligence agencies form another vertical which has to be integrated with the functioning of these agencies.
The apex body in question should have legislative backing and be headed by a technocrat with a background in strategic affairs. Similar bodies should be set up by the states, and the head of the apex body should be given the rank of a minister of state considering the importance of his position.
Read also: Galwan to Leh Police Report – Modi Govt’s Censoring Information, China-Style
Navigating through established structures
The question that arises is this: where do you fit the apex body into the existing government structure? This is a tricky question that needs to be resolved by the National Information Board (NIB) headed by the NSA. The NIB is tasked with formulating the National Information Warfare and Security Policies. It not only emphasizes the development of domestic capabilities in the defensive and offensive areas but also calls for responsibility in creating the necessary institutions and structures to implement the policies.
There is not much information about the achievements of NIB in the public domain. But it is clear that it will have to work together and of course address one tricky question: which acts as the acting counterpart to the cyber security elements of India, that pervades Government and private organizations? A study is needed, and there is much to be learned from other countries.
Keeping in mind the complexities prevailing in cyberspace, an area which remains unregulated internationally, the need for an apex executive body becomes very apparent. Going forward, the strategic vulnerability associated with cyberspace will only expand. Cyberwarfare provides opportunities for destructive forces to operate below the threshold of operations less than combat (OLTW).
Today, India holds a major share of the global IT and cyber security services market. Some of the best international cyber security practices are innovated and serviced from global competence centers and research and development centers based in India. Thus, the experiences of India’s private sector will be useful for the objectives of the national cyber security governance.
Ironically, not uncommonly, we are aware of the problems and probably have too many solutions in our heads. Still, we cannot get them implemented. It has always been the bane of government business. But given the growing importance of cyberspace in the national security landscape, there is no alternative, especially in the coming decade, which appears to be on a slope of increasing geopolitical conflicts.
Lt. Gen. (Dr.) Prakash Menon (Retd.) is the Director of Strategic Studies Programme, Takshashila Institute; Former Military Advisor, National Security Council Secretariat. He tweeted @prakashmenon51. Thoughts are personal.
(Edited by Zoya Bhatti)