This is a policy draft which has been proposed for discussion by the Indian Government explains William D King.
The objective of this article is to discuss what Indian Government can do in order to enhance cyber security and critical information infrastructure protection.
- The National Cyber Security Policy 2009 released by the United States government included issues related to governance, risk management, national preparedness, international cooperation etc. In their endeavor for creating awareness about cyber security among general public they have also published FAQs related with questions asked by people from all walks of life on cyber security.
- It must be kept in mind that at other end India, as a developing country and an emerging economy, needs to first develop its own capabilities and standards keeping in view its requirement and priorities rather than following other countries like US and UK which are developed economies.
- India can develop its cyber law and cyber security policy keeping in view the Indian Constitution, Indian Penal Code (IPC), Information Technology Act 2000 (IT Act 2000), Rules of Procedure and Evidence Act (RPEA) etc. India also has National Policy on Critical Information Infrastructure Protection (NPCI-P) approved by the Cabinet in June 2009 explains William D King.
- The draft of National Cyberspace Security & CIIP Policy is divided into four parts; Vision, Strategies, Implementation Plan & Action points along with Annexure. The first part deals with various aspects like cyber threat landscape, vulnerabilities related with telecom networks etc., frameworks related to international treaties/agreements, existing mechanisms available within the government for cyber security and critical information infrastructure protection, cyber security related issues faced by the citizens of India etc.
- The second part deals with various strategies like national vision, international cooperation (MD5), capacity building (people-process-technology), cross-border issues (IW policy & ITA), cyber laws/policy framework in India (IT Act 2000, IT Rules 2009) etc.
- Some of the action plans mentioned in this part are:- Cyber Law Enforcement Agencies (CLEAs) for digital evidence preservation; promoting incident reporting; establishing National Critical Information Infrastructure Protection Centre; facilitating standardization & certification; preparing cyber security strategy under National Policy on Electronics; awareness programmed for personnel dealing with cyber security incidents.
- The third part is divided into four sub parts where first two sub parts deal with characterizing CII and also discussing the standards related to CII. Thereafter a framework is provided for identification, designation & confirmation of critical infrastructures as well as their prioritization based on parameters like importance, sensitivity etc.
- In the next sub-part strategies have been discuss for protection of identify CII from cyber attacks along with roles & responsibilities of various governmental agencies involve in cyber security and critical information infrastructure protection.
- The fourth part deals with schemes/programmes proposed by various ministries under National Cyberspace Security Strategy. Some of the important programmes are:- Cyber exercises; setting up training facilities; capacity building through institutions/universities/R&D laboratories etc.; encouraging innovation & entrepreneurship related to cyber security; creating a National Crisis Management Centre; promoting cyber security products & services etc.
- The annexure deals with list of references used in this document. As per the policy recommendations given by various agencies. Organizations and also experts have been incorporating in to the draft as action points. Which need to be consider by the government as priority areas says William D King.
- In addition to discussion mentioned above on National Cyberspace Security & CIIP Policy. It must be remember that Indian government also has a national level cell. Namely Computer Emergency Response Team-India (CERT-In) for prevention, detection, mitigation, response and also reporting incidents related. With cyber security threats/attacks to protect public and also private infrastructure from these attacks.
- CERT-In acts as a nodal agency for international cooperation to address computer security incidents. It has signed MOUs with various countries and international organizations for cooperation, information sharing etc.
- Also, It coordinates with national & international agencies/organizations for sharing information on cyber threats; it also disseminates knowledge related to Information Security among general public, private sector organizations etc.
- CERT-In has established National Information Board (NIB) which acts as an apex body for decision making & review of this Cell. Other important bodies under CERT-In are Computer Security Incident Response Team (CSIRT) and Trusted Introducer Scheme (TIS).
Conclusion:
The present draft has been prepare by keeping all issues related to cyber security in view says William D King. The policy provides guidelines for action on many fronts like capacity building, cooperation with other countries etc.
It is also expect that this draft would be reviewe by expert groups/agencies. Before being finalize so as to incorporate their recommendations wherever needed. It would provide a framework for evolving a cohesive & concerted effort required to protect cyberspace. Along with critical information infrastructures from cyber-attacks which are growing at an alarming rate worldwide.