Harvard’s ‘National Cyber Power Index 2020’ assesses the capabilities and intent of 30 countries expressing ambitions to acquire and project ‘cyber power’. India was pegged at a modest rank of 21. China ranked second.
It is clear that India’s policies to enforce deterrence in cyberspace have achieved limited success—largely because they’re products of a different age. This is a serious cause for concern—especially as China simultaneously advances aggressively at our ‘offline’ northern and eastern borders. Adopting a defensive posture to protect India’s national interests in cyberspace has become the need of the hour.
Till now, the National Cyber Security Policy formulated in 2013 has served as the lodestar guiding the government’s cybersecurity practices. However, since then, there have been rapid technological developments with significant geopolitical implications. These need to be addressed from a security perspective at the highest levels of governance to develop an integrated, holistic approach to cybersecurity.
To that end, the National Security Council Secretariat (the Secretariat) issued a call for public comments in December 2019 to help formulate a National Cyber Security Strategy (NCSS) for 2020-2025. The NCSS would “ensure a safe, secure, trusted, resilient and vibrant cyber space for our Nation’s prosperity.”
The realization of this vision rests on three pillars—“secure” (the national cyberspace), “strengthen” (structures, people, processes, and capabilities), and “synergise” (resources including cooperation and collaboration).
The release of the NCSS is imminent. As we await its release, based on our detailed inputs to the Secretariat and subsequent research, here are our predictions on the four issues that we expect will be addressed by the NCSS.
Prediction 1: Will India Balance International Cybersecurity Debates and Domestic Interests?
It is significant that the Secretariat’s call for comments recognized the emergence of “technological cold wars and increasing state sponsored cyber attacks.”
This is largely because the advent of hybrid warfare adversely affects not only India’s territories, but it’s cyberspace too. The discovery of potential North Korean malware at both the Kudankulam Nuclear Power Plant and the Indian Space Research Organisation (ISRO) last year, and recent revelations of a Chinese firm tracking Indians’ personal data highlight just how vulnerable Indian cyberspace can be.
‘National Cyber Security Coordinator (NCSC) has been constituted to study the Zhenhua Data Information Technology Company’s activities in detail, evaluate security implications and coordinate India’s response.’#GazetteUpdates https://t.co/3g9mi2EzO8 pic.twitter.com/mxQYhsmNNs
— Live Law (@LiveLawIndia) September 17, 2020
And so, while the NCSS envisages a five-year policy horizon for cybersecurity, it should also bear in mind the rapid evolution of cybersecurity threats, as well as the changing tactics and strategies of adversaries. The NCSS will need to be dynamic, to keep up with this rapidly changing geopolitical landscape, and simultaneously protect India’s interests.
This might be difficult though, given the backdrop of a ‘technological cold war’ raging between the United States (US) and China—most notably exemplified by the US’ ban on Chinese tech giant Huawei, among other Chinese companies. This has been done, as reported by CNN, because “Washington has long alleged, without providing proof, that Huawei products threaten national security because they could be used to spy on Americans. Huawei has repeatedly denied that its gear and products pose a national security risk.”
Such polarising actions are likely to carve a clear political divide between different State policies towards cyberspace regulation in light of security concerns at international fora. For example, while the US is calling for an open and free cyberspace globally, the Sino-Russian camp wants States to be granted more leeway to protect their sovereignty and national security concerns in and through cyberspace.
Currently, India is positioned rather awkwardly in the middle of this divide, which may explain India’s low-key participation in the United Nations’ proceedings to develop international rules and norms to regulate State’s behaviour in cyberspace with. Even though the Indian government has publicly declared a “data sovereignty” stance with respect to national data governance, it has also recognized the need for a “free and fair digital economy” as per the Preamble to the Draft Personal Data Protection Bill, 2019.
Thus, it remains to be seen as to how the NCSS will reconcile ‘data sovereignty’ with the expectations of allies and defence partners who are committed to a free and open cyberspace.
Prediction 1: The Centre for Communication Governance’s (CCG) inputs to the NSCS had recommended espousing the principle of ‘peaceful uses of cyberspace’. However, in light of escalating hybrid warfare tactics being adopted by India’s rivals and adversaries, its adoption is extremely unlikely. Some reference to India’s ‘sovereign rights’ as a State, or maybe even practicing ‘self-defence’ in cyberspace appears likely in the NCSS.
Prediction 2: Will the NCSS Address Cybercrime?
In addition to State-sponsored activities, there has been an exponential increase in cyber crimes, especially through phishing attacks and ransomware. Indian law enforcement agencies’ lack of access to data stored by big-tech companies overseas remains a major challenge in the investigation and attribution of cybercrimes, including among others, the menace of cyber frauds.
This necessitates more focus on building both international cooperation and sharing mechanisms for electronic data. In all likelihood, this is also one of the major reasons behind the Indian government proposing data localisation measures in the Draft Personal Data Protection Bill, 2019.
— The Wall Street Journal (@WSJ) December 26, 2016
However, crime is an issue that governments across the world have addressed in their own national cybersecurity strategies, albeit broadly. The United States, for instance, has stated in its own cybersecurity strategy that it will “push other nations” to expedite assistance in criminal investigations, or comply with bilateral/multilateral obligations. Notably, it has also expressed a willingness to “aid willing partner nations to build their capacity to address cyber-criminal activity.”
Prediction 2: As capacity building for law enforcement agencies—including in cyber forensics—is reportedly underway, the rise in cybercrime as well as broader government measures to combat it should receive attention in the 2020 Strategy.
Prediction 3: What Might the Institutional Architecture and Allocation of Resources for Cybersecurity Look Like?
Currently, diverse ministries are engaged in enabling different aspects of cybersecurity.
For example, as of now, the government recently announced the establishment of the Defence Cyber Agency—a tri-service command of the Indian Armed Forces tasked with handling cyber-threats. The roles of these different agencies and ministries with respect to the NCSC’s office and their relationships with each other will hopefully be streamlined in the policy.
That OTT platforms and online news services are to be regulated by the Ministry of Information and Broadcasting (I&B) instead of the Ministry of Electronics and Information Technology (MeitY), is also a strong indicator of institutional re-organisation. This move aligns with one of the State’s security objectives of enabling greater State control over online content—the censorship of mass media has always been the domain of the Ministry of I&B, not MeitY. Presumably, this line in the sand will free up MeitY’s docket to pay closer attention to core technical concerns in the implementation of cybersecurity practices and policies.
So, as the government’s principal strategy for ensuring the nation’s cybersecurity, the NCSS can potentially clarify the roles of different institutions that will be involved in enabling a secure cyber ecosystem.
Additionally, a key factor for the successful implementation of any national strategy—whether on cybersecurity or otherwise—is the allocation of appropriate funds to responsible government agencies and public authorities. It is apparent that the Secretariat is mindful of this, but assessing the level of priority being accorded to the NCSS in government spending, only if there is a clear outlay of expenditure in the NCSS.
Prediction 3: Now, although changes are required in India’s cybersecurity architecture, it is still unlikely that the government will use a policy document like the 2020 Strategy to suggest any major organisational shuffles. Government notifications, memoranda or amendments to the Government of India (Allocation of Business Rules), 1961 are the appropriate tools to do this. Therefore, continuing to track developments in administrative structures that have a bearing on technology policy at large will be imperative, as these structures and their staffing will invariably influence—both directly and indirectly—the cybersecurity posture of the government.
As per General Pant’s comments, the policy “will also set aside a budget for funding cybersecurity work,” over the five year period. This budgetary allocation was missing in the National Cyber Security Policy, 2013. Such an announcement will undoubtedly help civil society to keep track of the break-up of expenses and actual allocations to various departments and ministries, vital to ensuring the accountable implementation of the NCSS.
Prediction 4: Public-Private Cooperation: A Relationship of Common but Differentiated Responsibilities
It is becoming increasingly clear that ensuring national cybersecurity requires effective and efficient public-private partnerships—Australia, Estonia, France, Germany, Switzerland, the US, and the UK have all charted out goals in their cybersecurity strategies to integrate the private sector to maintain national cybersecurity.
As far as India is concerned, programs like Digital India’s Surakshit Bharat—a collaboration between MeitY and a consortium comprising Microsoft, Intel, WIPRO, Redhat, and Dimension Data—indicate that the Indian government is cognizant of the importance of public-private partnerships.
There’s also the fact that currently, the vast majority of technical expertise is concentrated in the private sector. Cyber-skilling and knowledge-sharing programmes like the Emerging Technologies Initiative spearheaded by the New, Emerging and Strategic Technologies (NEST) division of the Ministry of External Affairs can be useful for sharing knowledge and expertise between the public and private sectors. Indeed, the role of the private sector in supporting national cybersecurity goals is only going to be enhanced when the Draft Personal Data Protection Bill, 2019 becomes law and the obligations of data localisation and data security are enforced.
With less than 2 weeks to go before @RBI data localisation deadline ends, @NPCI_NPCI MD &CEO @dilipasbe says, “All players have to comply with data localisation.” He also talks about the draft data law, WhatsApp Pay & more -full interview here:?#payments https://t.co/qRf3OKa6ap pic.twitter.com/FcyJp7kPhy
— digbijay mishra (@digbijaymishra1) October 3, 2018
So, it is crucial for public-private cooperation to be crafted in a manner that maximizes avenues for collaboration, cooperation, and information sharing. As recent news reports indicate, the equitable principle of “Common But Differentiated Responsibility” (CBDR) will be adopted for assigning roles and responsibilities to various stakeholders across sectors.
This was among CCG’s key inputs to the Secretariat. The principle of CBDR, which originates in international environmental law, should be supplanted into the domestic regulatory context to ensure that the most cyber-capable stakeholders are also the ones held most responsible for ensuring peace, stability, and security in cyberspace. How the government interprets the CBDR principle to define this relationship between the public and private sectors will be crucial to taking these partnerships forward sustainably.
Prediction 4: The CBDR principle suggested by CCG will likely feature in the 2020 Strategy for allocation of responsibility among various stakeholders. It will be interesting to see how the government plans to interpret and apply this principle through other policies, including cyber insurance.
What are we to expect overall?
Unlike the National Cyber Security Policy 2013, which consisted mostly of general guidelines, the National Cyber Security Strategy 2020 is expected to take a whole-of-nation approach to cybersecurity. The NCSS will ideally lay out a roadmap that involves all stakeholders, in order to achieve an optimum level of cybersecurity in India.
However, a clear, coherent strategy for national cybersecurity is only the first step. India still has a long way to go, if we hope to improve our Cyber Power Rankings enough to repel the real geopolitical threats of Chinese advances and incursions—both offline and online.
India’s new digital landscapes require new, flexible regulations—but, how do you develop laws for unchartered terrain? For some answers, click here to read more under ‘Regulating for a Digital Future’, curated by The Bastion and the Centre for Communication Governance, NLU Delhi.
The Bastion is happy to announce a new Technology vertical, where we’ll be covering how the future intersections of tech, policy, and society will affect India’s development journey. To read more of our technology coverage, click here. Interested in writing for us? Click here to read our submissions guidelines.