Cyber Security In India: Some Reflections

Digital economy and cyber security are correlated and are two sides of the same coin. We cannot have a strong, effective and functional digital economy unless we put robust and resilient cyber security policies and mechanisms at right place. India ignored cyber security for decades as our systems and economy were mostly analogue and not digital. We may self declare ourselves as digital superpower but that is not the truth. In fact, it is far away from truth. Anybody who has dealt with government offices and govt websites can tell you that govt offices and govt officials and bureaucrats lack digital capabilities. As a result, we have very poor cyber security in India and when we talk about cyber security we do not mean preventing websites defacement alone.

For reasons unknown both Indian govt and bureaucrats preferred to keep cyber security in cold storage though some good discussions also took place (PDF). Even the National Security Advisor’s (NSA) office, Prime Minister’s Office (PMO), Defence Cyber Agency (DCA), etc have failed to do the needful in the cyber security field so far. Initially it looked like govt apathy but later on it became clear that it was a case of lack of capabilities and expertise. India is relying upon IT Cells to spread positive propaganda but IT Cells are not substitute for effective, strong and robust cyber security infrastructure. IT Cells may convince or mislead people into believing that India has strong cyber security and Digital India is shining but crackers, cyber criminals and state sponsored cyber adversaries are having a good time at the cost of Indian economy and Indian Intellectual Property Rights (IPRs).

India is facing increased cyber attacks, cyber crimes and cyber espionage activities. These activities cannot be successfully repelled and countered unless we have strong techno legal regime in India. For that we need strong and dedicated cyber security laws on the one hand and capable cyber security workforce on the other. We neither have a dedicated cyber security law nor our educational system is capable of producing world class cyber security experts. So govt must start working upon both these aspects and while doing so govt must stop relying upon policies like cyber security policy of India that is just a guideline and not binding upon various stakeholders. Such toothless policy approach and notifications would not convince stakeholders to ensure cyber security for their systems. For instance, though RBI has mandated that banks need to ensure cyber security for their systems yet most banks have still to implement those directions. PSU banks are struggling to keep their bank servers up and most of the time they are down. Will anybody be convinced that they can manage cyber security for their systems in these circumstances? And if RBI cannot enforce its cyber security guidelines against banks, what is the use of formulating such guidelines? There are many more aspects but outlining them here is beyond the scope of this article. Instead, let us discuss the solution aspects now and we would focus upon legislation and capacity building aspects alone for the purposes of this article.

First, let us discuss upon legal framework for cyber security in India. In the name of cyber security law, we have the cyber security policy of India 2013 that would be updated to the cyber security policy 2021 soon. It is a non binding and persuasive document only that mostly outlines the problems than solutions. So not much guidance and help can be obtained from it as it is a PR stunt to show that we care for cyber security in India. It is the bureaucratic version of the IT Cell culture of Executive and both are useless. Then we have guidelines about cyber security formulated as Rules under the Information Technology Act, 2000. Again that is a piecemeal and knee jerk reaction to the bitter and harsh realities of cyberspace. The truth is that delegated legislation is a very poor substitute for well thought and well discussed legislation. Putting such Rules for public comments can never substitute a well thought and well discussed law making process that is the main responsibility of our Legislature/Parliament. But who would draft cyber security laws if neither bureaucrats nor our politicians are well versed with technological and cyber security issues? That is why we do not have a dedicated cyber security law in India.

We have some very good Universities and colleges in India but their global rankings are not very encouraging. So we must focus upon improving their educational standards keeping in mind that we need to change our education strategy. We need to shift their priority and focus from being academic to imparting skills oriented courses and education. There is a mismatch between the workforce produced by these educational institutions and the market demand. Private companies and stakeholders have been complaining that graduates produced by these institutions are not up to the mark and standards and they need additional skills development courses and trainings before joining a job. A better approach is to inculcate such skills right at the stage of graduation and post graduation. Also private educational and skills development initiatives must be supported by govt by providing them with an easy recognition procedure with no financial burdens. Too much focus upon certificates, diplomas or degrees without necessary skills is counter productive. Instead private and online education portals must be given not only recognition but their course must also be suitably recognised for employments purposes. Such online portals may either award a certificate/degree or they can give credit scores that should be used during employment and higher studies purposes.

Having outlined two major problems of Indian cyber security let us discuss how Perry4Law Organisation (P4LO), its startups and projects in general and CECSRDI in particular can help India in this regard.

CECSRDI has been working upon formulation of a techno legal cyber security framework that can be adopted and used by Indian govt. It can provide the much needed base for a dedicated cyber security law of India. We would share more details about it at the CECSRDI Forum. This would take care of the vacuum of cyber security law in India.

CECSRDI is also working on the project of online education, training and skills development in the field of cyber law, cyber security and related fields. A dedicated portal would be launched by CECSRDI soon where skills could be upgraded online. We would ensure techno legal cyber security skills development and would mix both technological and legal issues of cyber security. This way our trainee would be in a better position to handle cyber security related issues for a wide variety of social, public and private ventures and activities. This is in addition to our existing techno legal skills development initiatives by PTLB School, PTLB Virtual Campus, PTLITC, etc. Collectively, we cover skills development from K12 to the stage of lifelong learning and our existing portals and proposed CECSRDI portal can be used by Indian govt for a larger cyber security skills development initiative in India.

Having discussed two most needed solutions to strengthen cyber security in India, let us discuss few more related aspects of projects and initiatives of CECSRDI.

Cyber security is a very complicated field that requires domain specific expertise to manage. No single country or organisation is capable of managing cyber security at a global level. That is why countries across the globe are working hard to ensure coordination and collaboration among global stakeholder. In this process, govt, private players, academic institutions, individuals, cyber security experts, etc are all trying to solve the global cyber security problems. In short, cyber security is a global phenomenon and it needs global solutions. We at CECSRDI understand this very well and that is why the CESCRDI Forum would bring forward cyber security experts and institutions from around the world to share their best practices, knowledge, expertise and experience among similar stakeholders. It is an invitation only Forum were only approved stakeholders would interact and coordinate their global cyber security initiatives. Besides approved participants, the Forum would see activities and participation from our investors, collaborators, partners, trainees, etc. Different segments would be created based on the profile and involvement of the stakeholders with CECSRDI. Collaborative discussion thread or space would also be opened or created if the situation demands so where multiple stakeholders can participate simultaneously.

There is an urgent need to encourage young professionals, startups, companies, etc to invest in cyber security products, services, research and development, etc. However, institutional framework to do so is missing in India, especially for techno legal cyber security field. That is why CECSRDI has launched a Virtual Cyber Security Incubator so that talent of such stakeholders can be nurtured and they could contribute for cyber security of India. This Incubator has its own dedicated portal were incubation related issues would be shared and discussed. The CECSRDI Forum would manage the networking, collaborations, investment, mentoring and other aspects of incubated stakeholders under the CECSRDI Incubator. To maintain quality and standards, only deserving stakeholders would be approved for incubation. But if you have cutting edge products or services in cyber security field, we encourage you to apply for incubation under CECSRDI Incubator.

I am constrained from disclosing many things and aspects due to internal policies of P4LO and to maintain their trade secrets. But I can assure you that CECSRDI is going to change the way cyber security would be managed in India in future. Information about investors, collaborators, trainees, etc is available at the portal and its various segments and more information would be shared at the CECSRDI Forum. Let us together create a responsible and secure techno legal cyber security environment in India and globally.