Most states are financially stressed and have too many competing demands on their budget to accord cyber security any worthwhile priority.
India’s impressive progress in digitisation is certainly revolutionising how citizens and other State entities conduct their affairs. But the nation’s growing reliance on cyberspace has highlighted the promises and perils of an ancient strategic lore – increased dependency could also mean greater vulnerability.
India’s vulnerability in the cyber domain has, for long, been recognised as a national security issue. In 2013, a National Cyber Security Policy was issued, which flagged the complexity and dynamic nature of cyberspace, and the need to unify actions guided by an integrated vision and a set of sustained and coordinated strategies. Consequently, the last decade has witnessed the implementation of a fair number of progressive measures to deal with cyber threats. But India’s ability to cope with cybersecurity is being outpaced by the sheer scale and speed of its digitisation, confounded by the complex character of accompanying threats. This challenges our ability to take unified actions, evolve strategies and implement them effectively.
This weakness has created two areas of concern: politico-strategic guidance, and the outcomes that emanate due to India’s federal nature.
Cybersecurity strategy: The main casualty
A National Cyber Security Strategy should have quickly followed the 2013 National Cyber Security Policy to convert the ‘what’s to be done’ to ‘how to be done’. This could have been achieved by distilling policy-derived goals, identifying objectives and evolving a strategy informed by available resources. However, it took seven years to formulate a draft strategy document, which was then circulated among stakeholders for comments. Yet, more than two years later, a government-approved strategy is still awaited. Some insiders claim that important elements of the draft strategy are being followed. However, considering the multiplicity and diversity of the stakeholders involved, an integrated vision expected to shape the coordinated implementation of a cybersecurity strategy has turned out to be the main casualty.
In the absence of coordinated implementation, huge differentials have arisen in the state of preparedness of the individual sectors of the cyber ecosystem. The Reserve Bank of India (RBI) has supposedly made impressive progress in the financial sector while many other industries, such as health, power and energy—digitised public services, to name a few—continue to be laggards. Due to the system’s interconnected nature, this situation opens up vulnerabilities even in parts of the system that may be better prepared.
Structurally, the main executive mechanisms of this draft strategy are the Indian Computer Emergency Response Team (CERT-in), set up in 2009 and responsible for responding to cyber incidents. Then, we have the National Critical Information Infrastructure Protection Centre (NCIIPC), created in 2014 to protect critical infrastructure such as power, banking, and telecom. Both organisations draw their legal authority from the Information Technology Act and issue detailed directions to all concerned entities.
The main problem is that the directions are implemented differently by individual stakeholders. The problem is most acute in the case of state governments, where apathy combined with economic constraints and unmet expectations of financial support from the central government are the main impediments. The problem is more acute in states not ruled by the Bharatiya Janata Party, as directions are often viewed as impositions by the Centre. Therefore, cybersecurity has become another vector that strains the perennial contestations between the Centre and the states.
Cybersecurity and Centre-state relations
A state like Karnataka has nearly 100 apps that deliver public services. These apps host immense data, which can be harvested by inimical forces apart from being utilised as entry gates for other inimical activities. The monitoring of cyber security guidelines that relate to the creation of apps and periodic audits is notably weak in most states. At the state level too, each ministry and department tends to carry out its functions mostly as an independent entity. This shows a lack of oversight and treats cyber security as a low-priority area.
Overall, the cyber security apparatus of state-level entities shows much room for improvement. Take, for example, the corporate entities responsible for power distribution. Cybersecurity measures require continuous financial outlays, thus creating a constant tussle between the state government and distributing companies or Discoms. With Discoms already financially stressed, they expect the state to provide finances for executing the directions that emanate from the National Critical Information Infrastructure Protection Centre (NCIIPC) or the state itself.
Most states are financially stressed and have too many competing demands on their budget to accord cyber security any worthwhile priority. They, therefore, seek funds from the Centre, which, more often than not, are not forthcoming. The overall effect is that cyber vulnerabilities in critical infrastructure and other sectors endure.
The need for an apex-level executive body
What is evident from the results of the Centre-state tangle is the absence of an apex body responsible for the execution of strategies evolved by central institutions like the National Security Council Secretariat (NSCS). Institutions like NSCS are accountable for both policy and national strategy and come within the National Security Agency (NSA)’s ambit of duties.
Much of the execution rests with the Ministry of Electronics and Information Technology (MeitY) and its nodal IT agency, the National Informatics Centre (NIC). It is further extended to the cyber department of the Ministry of Home Affairs and the Armed Forces, where separate and ministry-specific priorities determine the what/how/when of core cybersecurity functions. Intelligence agencies form another vertical that has to be integrated with the functioning of these agencies.
The apex body referred to has to have legislative backing and must be headed by a technocrat with a strategic affairs background. Similar bodies will have to be set up by the states, and the apex body head should be given the rank of a state minister, given the importance of their position.
Navigating through established structures
The question that arises is this: Where do you dovetail the apex body in the existing government structure? This is a tricky question that must be resolved by the National Information Board (NIB) headed by the NSA. The NIB is tasked with formulating national information warfare and security policies. This entails not just the development of domestic capabilities in defensive and offensive realms but also calls for responsibility in creating the required institutions and structures to implement policies.
Not much is known in the public domain about the accomplishments of the NIB. But it is apparent that it has to get its act together and evolve a solution to what is certainly a tricky question: Who acts as the executive equivalent for India’s cyber security elements, which permeate government and private organisations? A study is required, and there is much to be learned from other countries.
Considering the complexities that pervade cyberspace, an area that remains ungoverned internationally, the need for an apex executive body becomes all too apparent. Going forward, the strategic vulnerability associated with cyberspace will only expand. Cyberwarfare provides opportunities for destructive forces to operate below the threshold of Operations Less than War (OLTW).
Today, India has a large share of the global IT and cybersecurity services market. Some of the best international cybersecurity practices are innovated and served out of India-based global capability centres and research and development hubs. Thus, the experiences of India’s private sector will come in handy for national cybersecurity governance purposes.
Ironically, but not unusually, we are aware of the problems and perhaps have a lot of solutions in mind. Still, we cannot get them implemented. This has always been a bane of governmental functioning. But considering the soaring importance of cyberspace in the landscape of national security, there is no choice, especially in the coming decade, which seems to be on the steep slope of rising geopolitical confrontations.