The current cybersecurity policy was established in 2013 with a vision to build secure and resilient cyberspace for citizens, businesses and the government.
Anticipating the boom in the IT industry and the resulting need of a cyberspace policy, the document was published with a mission to protect information and information structures, prevent and respond to cyber threats, and minimise the damage from cyber incidents.
Briefly, the policy tries to create a secure cyber ecosystem in the country with an assurance regulatory framework and establish a mechanism that can monitor and respond to threats. It also asks for the development of indigenous security technologies and the creation of a workforce of professionals skilled in cybersecurity.
The policy document tries to lower the risk of cyber threats by formulating several strategies to reduce supply chain risk, create cybersecurity awareness, develop private-public partnerships, and enhance bilateral and multilateral cooperation at a national and global level.
This article tries to analyse the shortcomings of the policy based on what the experts in the field have to say, how COVID-19 exposed several weaknesses of it, and what needs to be considered for the new cybersecurity policy.
Shortcomings of the current policy
Analysing comments from experts, several concerns are raised regarding the current cybersecurity policy in terms of coordination, regulation, and overall awareness on the subject.
One of the main concerns is the lack of communication between the governments and private entities that exposes the fault lines within the cybersecurity ecosystem. This also includes processes for disclosing security vulnerabilities in Government entities.
It is essential to mandate cybersecurity compliance and create regulation to handle data breaches to ensure accountability. Without these regulations, currently, enterprises invest in cybersecurity only for the sake of compliance. The lack of regulation also becomes evident, as, with no personal data protection law, most IT security policies cannot be used to protect data.
Lastly, there is a lack of awareness in this subject that is evident even among government officials.
Cybersecurity after the onset of COVID-19
The onset of COVID-19 exposed the weaknesses in the current cybersecurity policy even further. With everyone needing to work from home, not within the firewalls of their firms, led to increased security incidents.
According to a survey conducted with employees across organisations in India, 66% of them faced at least one data breach. Security experts observed a 500% rise in the number of cyber attacks and security breaches and 3 to 4 times rise in the number of phishing attacks from March when the lockdown started in June.
There was also an increase in the number of financial transactions resulting in a rise of fraudulent attacks according to a report by the Data Security Council of India. A similar rise was also seen in the healthcare sector with fraudulent behaviour leading to theft identification, among other things. Over a thousand attacks were also reported in the education sector.
As a response to the rising number of attacks, the Home Ministry of India issued an advisory, with suggestions on prevention of cyber thefts, especially for those working from home. The Computer Emergency Response Team – India (CERT-In) also published the possible sources of cyber attacks and best practices that could be followed to ensure safety.
CERT-In also successfully conducted ‘Black Swan – Cyber Security Breach Tabletop Exercise’, to deal with cyber crisis and incidents emerging due to COVID-19 pandemic, resulting from lowered security controls as people work from home.
To account for the fraudulent behaviour in the finance sector, the government is also considering the setting up of a Computer Emergency Response Team for the Financial Sector (CERT-Fin).
Finally, the Prime Minister of India also announced a new cybersecurity policy for safe and secure cyberspace in India on Independence Day this year.
Direction of the new cybersecurity policy
As India comes up with a new cybersecurity policy in 2020, experts recommend a focus on domestic demands and greater incentives for the private sector to participate in government contracts.
There should also be greater engagement between the information security community and government. The policy should further facilitate an environment to encourage research in cybersecurity innovation.