Question - What are different elements of cyber security? Keeping in view challenges in cyber security, examine the extent to which India has successfully developed a comprehensive national cyber security strategy.
Cyber security is the protection of information systems and networks from unauthorised access, use, modification, disruption or destruction. Cyber security involves various elements, such as:
People: People are the users, operators, administrators, developers and managers of information systems and networks. They need to be aware, trained, skilled and responsible for cyber security. They also need to follow the policies, procedures, standards and guidelines for cyber security.
Processes: Processes are the methods, practices and workflows that govern the design, development, operation, maintenance and improvement of information systems and networks. They need to be aligned with the objectives, requirements and risks of cyber security.
Technology: Technology is the hardware, software, firmware and infrastructure that enable the functioning of information systems and networks. They need to be secure, reliable, resilient and up-to-date with the latest threats and vulnerabilities.
Data: Data is the information that is stored, processed, transmitted and used by information systems and networks. They need to be protected from unauthorized access, use, modification, disclosure or loss. They also need to be classified, encrypted, backed up and disposed of according to their sensitivity and value.
Governance: Governance is the framework of policies, laws, regulations, standards and guidelines that define the roles, responsibilities, authorities and accountabilities of various stakeholders for cyber security. They need to be consistent, coherent, comprehensive and enforceable.
India has been facing various challenges in cyber security, such as:
Increasing cyber threats: India has been witnessing a surge in cyberattacks on its networks from various sources, such as state-sponsored actors, cybercriminals, hacktivists and terrorists. These attacks target various sectors and domains, such as critical infrastructure, defence, government, banking, e-commerce etc.
Lack of cyber resilience: India has been lagging behind in developing its cyber resilience capabilities to prevent, detect, respond and recover from cyber incidents. There is a lack of adequate data and information on cyber threats and incidents; coordination and integration among various stakeholders; capacity and awareness among users; financial resources for cyber security; public participation in cyber security etc.
Lack of cyber sovereignty: India has been dependent on foreign technologies and platforms for its digital economy and governance. This poses risks of data leakage, espionage, manipulation and sabotage by foreign entities. There is a need to develop indigenous capabilities and promote self-reliance in cyber security.
To address these challenges and enhance its cyber security posture, India has been working on developing a comprehensive national cyber security strategy since 2020. The strategy is expected to be unveiled soon by the National Cyber Security Coordinator (NCSC) under the Prime Minister's Office (PMO).
The strategy is based on a report prepared by the Data Security Council of India (DSCI), which focuses on 21 areas to ensure a safe, secure, trusted, resilient and vibrant cyberspace for India's prosperity. Some of these areas are:
Large scale digitisation of public services: Focusing on security in the early stages of design in all digitisation initiatives; developing institutional capability for assessment, evaluation, certification and rating of core devices; timely reporting of vulnerabilities and incidents etc.
Supply chain security: Monitoring and mapping of the supply chain of ICT products; scaling up product testing and certification; leveraging India's semiconductor design capabilities globally at strategic, tactical and technical levels etc.
Critical information infrastructure protection: Monitoring digitisation of devices; evaluating security devices; maintaining a repository of vulnerabilities; devising audit parameters for threat preparedness; developing cyber-insurance products etc.
Digital payments: Mapping and modelling of devices and platforms deployed; routine threat modelling exercises to disclose vulnerabilities; threat research and sharing of threat intelligence; timely disclosure of vulnerabilities etc.
State-level cyber security: Developing state-level cybersecurity policies; allocation of dedicated funds; critical scrutiny of digitisation plans; guidelines for security architecture,
operations and governance etc.
Security of small and medium businesses: Policy intervention in cybersecurity granting incentives for higher level of cybersecurity preparedness; developing security standards,
frameworks and architectures for adoption of IoT and industrialisation etc.
To implement the strategy effectively, the report also provides some recommendations on various aspects such as budgetary provisions; research & innovation; human resources;
public-private partnership; international cooperation etc.