The recent act of cyber crime against a large number of schools in the national capital is yet another incident of inimical elements attempting to create a sense of panic and insecurity. Cyber attacks come in different forms, ranging from financial frauds to data breaches to the crippling of critical infrastructure. When viewed at a macro level, the nation cannot afford to withstand such headwinds in our journey to a $5-trillion economy. It is, therefore, imperative that our strategy to counter this threat is clearly enunciated in the first 100 day plans of the new government.
The fountainhead of any action is the creation of a framework for governance at the national level to ensure responsibility and accountability for the protection of the national cyberspace. In the present system, while individual ministries are doing well in implementing their respective mandates, the accountability aspect is missing. It may be prudent to recall the cyber attack in the UK in 2003 by a state-backed actor, where during the inquiry, everyone kept passing the buck and no one was found responsible. This is when they decided to create the National Cyber Security Centre under a CEO. It may be a useful exercise for the government to take a stock of some of the recent cyber attacks and examine the flaws in the present system with a view to create an efficient governance structure.
On June 1, 2022, the Australian prime minister announced their first minister for cyber security. There are three main reasons for the creation of such a role. First, cyber security, like internal security and national defence, needs leadership to ensure it remains a constant priority, even when there are more urgent security issues of the day. So having a minister ensures that policy makers/bureaucrats are constantly tasked with the appropriate work. Second, it also helps as the prime minister and his staff do not have the time to work on cyber issues on a daily basis and can therefore depend upon the ministry for any inputs. Third, most of the critical information infrastructure lies in the private sector. A ministry would provide a clear avenue for industry. Without a minister it is difficult to know who has responsibility within the government.
The strategy question
Once the governance structure has been decided, we need to come out with our strategy for protecting national cyberspace. Our present policy of 2013 needs a revision and much work has already been put in by the government on the new strategy, which would promulgate a whole-of-nation approach in addressing the entire ecosystem of cyber security. This strategy needs to be released at the earliest.
While 2023 was a landmark year for the nation with the passage of the Digital Personal Data Protection Act and the Telecom Act, there is a need for a Cyber Security Act to cater for new age crimes after a gap analysis of the existing laws and regulations in view of the cyber crimes.
Growing cases of cyber crime, which involve use of innovative methods of trapping citizens are on the rise. With the increased proliferation of smartphones, many citizens are getting conned. There has been an increase in frauds in the banking and financial services and insurance sectors. Though the Indian Cyber Crime Coordination Centre needs to be complimented for their efforts, the issue needs to be addressed holistically by including the telecom sector, banks, judiciary and the police.
Elections, Deepfakes and disinformation
In this election season we have already witnessed the scourge of deep fakes and disinformation campaigns. Such vectors will continue due to the growing use of social media. Protection of national cyberspace involves a monitoring mechanism and counter action for the same against all violators, big or small.
The proposed national cyber reference framework needs to be made public at the earliest, and also the National Malware Repository, which is an excellent project developed by the DRDO. The use of AI in both cyber defence and offence is on the rise and a coordinated approach to counter it is required. The National Mission on Cyber Physical Systems has done well in creating 25 technology innovations hubs, but now needs to focus on outcomes.
Cyber attacks are borderless and are difficult to attribute, as seen from the Delhi school attacks. Since we are not signatories to the Budapest Convention, we have to depend on Interpol and the coalition of willing nations to rely on threat intelligence and investigation. International cooperation, therefore, is essential in this respect and should form an integral part of our strategy.
Finally, there can be no assured defence in cyberspace without an element of deterrence. The latest cyber strategies of the US, the UK, Australia and others depict a shift from cyber security to cyber power. In addition, the creation of a separate cyber force by PLA is an index of its growing importance. The cyber war is already on at different levels. We need to act fast.
The writer is chairman, Cyber Security Association of India
