(In May 2014, when BJP/NDA headed by Sh Narendra Modi as the Prime Minister took over the responsibility to lead our great nation to the next era, I had made few suggestions to improve the national cyber security posture. It is now time to see what got achieved and where we are still lagging or the issue has become irrelevant. Following is the copy my letter.)

On 02nd July 2013, Department of Electronics and Information Technology released National Cyber Security Policy (NCSP-2013). The document is confused between policy and strategy on cybersecurity. Policy should have been overarching and not constrained by timelines. The vision limitation set for five years is a constraining factor. Many national security aspects have not been covered, while some themes found repeatedly. Only one organisation name appeared as if India does not have any other organisation in the field of cybersecurity (either no organisation should have been named or most should have been covered). For example objective to have 5,00,000 cyber security professionals have been set for next 5 years without any plan or outlay. Either complete plan should have become part of the strategy or no fixed target should have been set but a policy for capacity building should have been elucidated. Thus NCSP provides limited direction but there are many things which must be achieved by the next government in next five years.

Following are achievable targets for next five years for securing Indian Cyberspace:

1. Revive National Information Board. The information Security, to which Cyber Security is a sub-set is a multi-disciplinary aspect. Without comprehensive and well-coordinated inter-ministerial, inter-departmental and Public-Private-Academia cohesive action, it will be ad-hoc cybersecurity environment in the country. NIB should meet at least once every six months and publish its reports which can be made public. This will give clear direction to all.

2. NIB should present annual National Cyber Risk Assessment Report to the Parliament.

3. There should be following empowered working groups reporting to NIB on the matters of Cybersecurity:

a. Best International practices and perspective plans

b. Regulatory and Compliance

c. Law Enforcement, Intelligence and defence coordination

d. Critical Information Infrastructure Identification and Protection

e. Research, development and Indigenous efforts

f. Public-Private-Academia coordination

g. International relations

4. These working groups should make yearly & emergency report to the government through NIB along with proposed action plan. Unclassified part of their reports should be published. The working groups should have healthy mix of government officials, subject professionals, cybersecurity experts and academia. Private sector confederations should nominate industry professionals to these groups.

5. NIB should aggressively act to ensure that India have presence in various international Internet governing bodies.

6. Establish National Cyber Security Coordinator under National Security Council Secretariat for handling day-to-day coordination.

7. All national level guidance and policy should be issued through NCSC.

8. MEA should coordinate with other nations for bilateral and multi-lateral treaties/convention, especially in UN.

9. MEA should work towards India signing Convention of Cybercrime with in next two years.

10. Create coordinating web of sectoral cyber watch, warning and incident response (WW&IR) centres. CERT-IN should be tasked to lead and enable these centres. These centres should be in form of inverted tree branching out to last mile in each sector.

11. Analytics should be used extensively by WW&IR centres.

12. CERT-IN should consolidate and coordinate interdependency between sectors. Monthly Risk estimation report should be published.

13. CERT-IN should hoist cybersecurity warning flags to indicate threat level in Indian Cyberspace.

14. CERT-IN should coordinate with national and international vendors to estimate generic as well as India specific malware in cyberspace and create antidote urgently.

15. CERT-IN directly as well as through WW&IR centres spread awareness. All tools such as conferences, seminars, media interactions, general public announcements, talks etc. must be used.

16. NIC must conduct Information Security risk assessment and audit of all government websites and networks. Defence and Intelligence agencies can conduct such audits separately but must give assurance to NIC that such audits were conducted with percentage of audit observations could not be closed within six months.

17. HRD Ministry in coordination with UGC develop following:

a. Preferred subjects in cybersecurity for research for PhD Degree.

b. Curriculum for M.Tech (Information Security)

c. PG diploma in specific field such as Cyber Forensics, Incident handling, Compliance & auditing, cryptography, Network Security, Web Security, Application security, Firmware Security etc.

d. Curriculum for B.Tech (Information Security)

18. HRD Ministry should set minimum standards for any Diploma / Certification to prevent ad-hoc and sub-standard training by private players.

19. Accreditation by NABET should be mandatory for information security trainers to achieve minimum quality of instructors.

20. NTRO should be empowered for coordination of Cyber Intelligence.

21. NTRO/NIIPC should be made nodal agency for Critical Information Infrastructure Protection in accordance with section 70A of IT Act 2000.

22. During peace time NTRO should function under cabinet secretariat but during imminent cyber conflict/ war, it should get deeply engaged with Defence Ministry. During military hostilities NTRO should come under Cyber command of HQIDS/CDS.

23. MoD should create Cyber Command under CDS/HQIDS.

24. National Cyber war-fighting doctrine and Rules of Engagement should be developed by Cyber command and relevant classified directive be issued to all through NIB especially on RoE.

25. Judiciary, Public Prosecutors and investigators should be provided training on national and international laws related to Information Technology. Short Course through private sector should be developed for lawyers. Law colleges should have Cyber law as part of curricula, while short courses should also be conducted for working professionals. International laws, cyber forensics and laws of cyber evidence should be part of such training.

26. Law Enforcement Agencies should be provided with necessary training and tools for investigations involving computers or mobile phones or any digital device.

27. Cyber Forensics should be given thrust. Private players should be involved especially in role of DEFR, profession related analysis etc.

28. All entities with turnover more than say 5 Crores must nominate CISO, while all entities with turnover say 10 Crores must have qualified DEFR either directly employed or through third party.

29. STQC Department should be tasked to develop sector specific cybersecurity standards. International sector specific standards such as ISO/IEC 27011 and ISO/IEC 27799 should adopted.

30. Critical Information Infrastructure should be classified by intensity of impact on nation in case of their failure due to cyber-attack or software glitch. Necessary fail over processes and procedures must be developed.

31. Industry must be provided incentives for development and commercialisation of cyber security products.

32. IISc be nominated to coordinate amongst Academia for developing Centre of Excellence in information Security. At least 20 Centre of Excellence should be established.

33. ISTDC be given enhanced funds to invest in futuristic research in Cyber Security.

34. Planning commission should make cyber security expenditure as a planned expenditure and allocate appropriate funds. A benchmark of 8% of IT spend on IT Security could be used.

35. Ministry of Home Affairs should create Cyber Crime Control Centre.

These are some of achievable objectives for next five years which can provide effective Cyber shield to our nation.

Recommended By:

Commander Mukesh Saini (Retd.),

Former National Information Security Coordinator (GOI)

Abbreviations used

Abbreviation - Full form

CDS - Chief of Defence Staff

CERT-IN - Indian Computer Emergency Response Team

DEFR - Digital Evidence First Responder

HQIDS - Headquarters Integrated Defence Staff

HRD - Human Resource Development

IEC - International Electrotechnical Commission

IISc - Indian Institute of Science

ISO - International Organisation of Standardisation

ISTDC - Information Security Technology Development Council

IT - Information Technology

IT Act - Information Technology Act

MEA - Ministry of External Affairs

MoD - Ministry of Defence

NABET - National Accreditation Board for Education and Training

NCSP - National Cyber Security Policy

NIB - National Information Board

NIC - National Informatics Centre

NSCS - National Cyber Security Coordinator

NTRO - National Technical Research Organisation

PG - Post Graduate

RoE - Rules of Engagement

STQC - Standards Training Quality Certification

UGC - University Grant Commission

UN - United Nations

WW&IR - Watch, warning and Incident Response