India has started many good initiatives and formulated far reaching policies in the field of cyber security. However, their actual implementation is still missing and thereby making all these efforts futile. For instance, the Cyber Security Policy and the National Security Policy of India have been declared but their actual implementation in the cyber field is still missing. As a result, the cyber security of India is at great peril. These cyber security shortcomings have been well articulated by the Cyber Security Trends and Development in India 2013 (PDF) provided by Perry4Law and Perry4Law’s Techno Legal Base (PTLB).
So what cyber security projects have not become implementable projects till now? The list is long but sufficient is to talk about the projects like National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, Cyber Attacks Crisis Management Plan Of India, etc. None of them are “Coordinating” with each other and all of them are operating in different and distinct spheres.
Recently, the National Technical Research Organisation (NTRO) was entrusted with the responsibility to protect the critical ICT infrastructures of India. The critical infrastructure protection in India and its problems, challenges and solutions (PDF) are still not looked into with great priority. Now it has been reported by Hindustan Times that the National Cyber Coordination Centre (NCCC), which received an in-principle approval from the cabinet committee of security in May last year – is about to become a reality. A 125-page report on the R500-crore project has been sent to the ministry of finance for clearance. Once cleared, it would go to the Cabinet Committee for Economic Affairs for a final nod.
“The new body comes under the National Information Board and would be responsible for all forms of cyber intelligence and cyber security issues,” said a senior intelligence official on condition of anonymity. The NCCC is expected to screen all forms of meta-data, ensure better coordination between various intelligence agencies and “streamline” intelligence gathering. To that end, it expands the charter of the Computer Emergency Response Team, India, (CERT-IN), which has the bulk of the government, public-private and private sectors under its jurisdiction. It is also the duty of the NCCC alert all relevant agencies during a cyber-attack and ensure better cyber intelligence sharing.
India has already launched e-surveillance projects like National Intelligence Grid (NATGRID), Central Monitoring System (CMS), Internet Spy System Network and Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Thus, these projects are violative of Civil Liberties Protection in Cyberspace and provisions of Indian Constitution.
But though the NCCC would be concentrating on meta data and not personal data, the fact that it would actively coordinate cyber intelligence and improve information sharing, makes citizens more vulnerable to the government. What worsens the situation is the lack of a privacy law and data protection laws (PDF) and transparency in the measures being taken, said officials from the ministry of communications & IT. Further, there is no E-Surveillance Policy in India (PDF) as well. Let us see how effective the NCCC would be in the absence of any legal framework supporting its functioning.