Despite its best attempts and some very creative thinking, the Indian government’s efforts to chart an independent course in cyberspace have met with consistent failures and frustrations. Its Cybersecurity Policy is a case in point.
Released amidst the growing controversy over revelations regarding the American electronic eavesdropping programme, this policy document is the culmination of deliberations that the Indian security establishment has been carrying out with various stakeholders for the past three years.
Weak in specifics
To begin with, the document is plagued with definitional issues, not the least of which is the term “cyber security” tautologically defined as “security of cyberspace.” In fact, the lack of this fundamental definition weakens the policy by not giving it specific objectives to pursue or a clearly-demarcated framework in which to work.
The document states a few concrete measures, such as operating a National Critical Information Infrastructure Protection Centre (NCIIPC) and requiring every organisation to designate a Chief Information Security Officer. For the rest, it offers merely generic prescriptions, which are uncontroversial but ineffective without clearly laid-out implementation strategies.
For instance, it promises to encourage open standards, which has been a universally accepted goal since the advent of standardised manufacturing. However, it fails to spell out how it plans to overcome the coordination issues which have been hindering the acceptance of open standards across the world for all these years. It promises to develop a dynamic regulatory framework for technological developments without explaining what this framework would aim to do; or how it plans to regulate technological developments carried out beyond Indian borders. It also aims to create “systems, processes, structures and mechanisms” to identify and mitigate existing and potential threats. Again, there is no specificity beyond trusting the Indian Computer Emergency Response Team (CERT-In) to do it with its limited mandate and resources.
More of a recap
Meanwhile, the document avoids addressing some of the most basic and polarising debates such as the role of civilian versus military establishment in cyber security, privacy versus security, censorship versus freedom of speech, and use of indigenous security products versus importing vulnerable technology.
It also does not recognise the inherent global nature of the Internet, essentially treating “cyberspace” to be restricted within national borders. It also fails to link up cyber security with the global debate on Internet governance or with the question of international cooperation.
In short, the policy aims for an ideal security situation without a clear roadmap of how to get there, while refusing to make any hard choices. Moreover, almost all the concrete measures that it mentions are initiatives that are already under way. In a way, the document is a recap of the previous ideas, rather than a guide towards the future. It neither gives any hint of Government’s thinking on Internet-related issues nor provides a framework on which successive governments can build further. One cannot be faulted for presuming that such a policy document was the result of a lack of interest.
Hurdles in the way
However, the reality is quite different. Since the beginning of this decade, the Government has been extremely sensitive to the growing challenges of cyberspace and has been actively seeking to develop a viable response.
This recognition of the gravity of cyber security was prompted by a series of events in the late 2000s which highlighted India’s vulnerability.
The cable disclosures of WikiLeaks, the accidental proliferation of Stuxnet, and the discovery of the GhostNet were events which India could neither mitigate nor respond to. In the aftermath, New Delhi resolved to be better prepared for the next crisis. Nevertheless, as we have seen, it has not been able to articulate a coherent strategy or decide on any of the contentious issues.
There are several factors for these frustrations. To begin with, the Government’s efforts remain scattered to a great extent, which is natural given the absence of a cyber security czar. So, for instance, while coordination of cyber security among various sectors of economy remains under the ambit of CERT-In, a civilian agency under the Department of Information Technology, the charge of protecting critical information infrastructure has been given to the National Technical Reconnaissance Organisation (NTRO), a specialised intelligence-gathering agency.
Meanwhile, most of the cyber crime is expected to be dealt with by the local police under state governments in combination with outside consultants.
Similarly, the division of labour on the international front remains unclear, with the Ministry of External Affairs deciding the Indian position in the United Nations and Department of Information Technology representing India in international telecom organisations.
More significantly, there is a misunderstanding of the threat, both in its intensity and dimensions. To take the example of the above-mentioned document, there is little clarity on what is being protected and from what it is being protected.
Barring critical infrastructure, there is no delineation between, say, government networks, corporate networks, individual data, data carriers and third party data services. This sense of limitless threat is evident in almost all government cyber security initiatives, attempting to protect everyone from everything and in the process, ending up protecting nothing.
Stop looking to West
To be sure, absurd threat exaggeration has been endemic in cyber security since the advent of the Internet. The complexity of the subject has also made recognising appropriate threat level difficult. However, for New Delhi, the situation has been exceptionally confusing, partly due to limited institutional capacity and partly due to the government’s eagerness to adopt international (i.e. Western) standards and frameworks.
Informed by inflated assessments of western security establishments which are often contested in their own countries, the Indian government has ended up with a very muddled conception of the threat. For instance, Stuxnet, which has been highlighted by western analysts largely because of its political implications, is often mentioned in the Indian government circles as an example of growing cyber security challenges.
On the other hand, Conficker, which is a potentially much deadlier malware, is barely mentioned since it was ignored by the foreign governments. This tendency is not new, almost all previous Internet-related policies in India have been heavily influenced by international models beginning from the IT Act of 2000. Looking at technologically-advanced nations for policy inspiration is usually a good idea, but in this instance is misguided. India’s dependence on the Internet is very limited compared with that of the West.
Mechanisation and digitisation of the Indian economy are at a rudimentary level and likely to remain so in the short term given the abundance of cheap labour in India.
The Indian IT industry, being largely service-oriented rather than product-oriented, has little stake in the integrity of the Internet beyond its own networks. In terms of Internet penetration and sophistication of use, India lags far behind other major countries, with non-essential services such as social media constituting the primary use for the majority of the population.
Moreover, Internet dependence in various sections of Indian economy is far more varied compared with the West. It is essential for India to take a focused view of the risks in cyberspace instead of expecting the presence of a limitless threat.
(The author is a Research Associate at the Centre for Policy Research, New Delhi.)