India is a late entrant in the field of cyber security. This is evident from the fact that the National Cyber Security Policy of India 2013 (NCSP 2013) was drafted in the year 2013. Although this is a good step in the right direction yet the actual implementation of the NCSP 2013 is still a bi challenge for Indian government.
Further, the NCSP 2013 itself is suffering from many serious drawbacks. These include lack of privacy protection, absence of integration with the National Security Policy of India, absence of civil liberties protection in cyberspace, absence of balance between civil liberties and national security requirements, etc.
There are other policy issues as well that are putting hurdles before the successful implementation of cyber security in India. For instance, we have no data protection laws in India and privacy rights in India. The privacy rights in India in the digital age are still ignored by Indian government. On top of it, the Indian government has started many e-surveillance oriented projects without any legal framework. An e-surveillance policy of India (PDF) must be urgently formulated by Indian government so that unconstitutional e-surveillance can be curbed in India.
Similarly, on the implementation aspect, India is still grappling with the issues like cyber warfare, cyber espionage and cyber terrorism, etc. For instance, recently Huawei was accused of breaching national security of India by hacking base station controller in AP. Thus, the critical infrastructure protection in India and its problems, challenges and solutions (PDF) are still to be looked into with great priority.
A dedicated cyber warfare policy of India (PDF) must be formulated as soon as possible. All these issues have already been covered by the cyber security trends and developments in India 2013 (PDF) released by Perry4Law and Perry4Law’s Techno Legal Base (PTLB).
Regarding critical infrastructure protection in India, a National Critical Information Infrastructure Protection Centre (NCIIPC) of India has been claimed to be constituted. However, in the absence of a public face and website of NCIIPC, its exact functions and role is in doubt. Further, there are internal bureaucratic and policy conflicts when it comes to critical infrastructure protection in India.
Now Hindustan Time has reported that the Indian government has cleared a proposal to put technical-spying agency NTRO in charge of securing the IT installations of key infrastructure bodies including telecommunications, power, railways and airports.
The move comes at the behest of National Security Advisor Shivshankar Menon after considerable resistance from bureaucrats and politicians who were concerned about handing this key role to an intelligence body that is not subject to checks and balances.
Last week, the Cabinet Committee on Security (CCS) cleared this proposal that came after years of deliberation. In December 2012, Menon had announced plans to shore up defences against paralysing cyber-attacks in these critical sectors.
But while guidelines for the project were prepared and issued in June 2013, the government was caught in a furious battle over the project’s ownership. While many felt the ideal choice was the Computer Emergency Response Team-India (CERT-IN), controlled by the Ministry of Communications and Information Technology, the NSA was in favour of the NTRO (National Technical Research Organisation), which is controlled by his office and is not answerable to Parliament.
“Many of us felt that NTRO, being an intelligence agency with little oversight should not be heading such a project. But the counter argument was that it had better sensors than what the Ministry of Communications and IT and CERT-IN had to detect such cyber-attacks,” a senior minister, who did not wish to be named, told HT while confirming the CCS decision.
In the first phase, the NTRO will look at seven sectors including telecommunications, oil and gas, Air Traffic Control, power grids and nuclear installations, and railways. “As capacities are built up more sectors will be added to this list,” a senior NTRO official told HT on the condition of anonymity.
The project’s first phase, according to the perspective plan, will be for five years and will cost Rs. 200 crore. During this period, nearly 500 IT professionals with various levels of experience will be hired to start building robust defence systems for critical sectors.
NTRO was created as a technical spying agency on the lines of the American NSA (National Security Agency) and monitors satellite communications, missile testing, UAV surveillance among other things. It has three major wings that deal with cyber security — the Net Security Team that does analysis of attacks, the Information Domination Group that is tasked with hacking and the Cyber Application and Research group that deals with surveillance of and internet monitoring. While these give NTRO an edge over other agencies, it also gives it access to a lot of sensitive data that has sparked questions about concerns about the invasion of privacy of citizens.