Critical Gaps

An extract from Maj. Gen. P.K. Mallick’s essay on Cyber and Space Strategy for India

Indian Cyber Space

The most significant event was the introduction of the Information Technology (IT) Act as early as 2000 and the promulgation of the National Cyber Security Policy by the Ministry of Communications and Information Technology in 2013. The Indian Computer Emergency Response Team (CERT-In) was established in 2004 and continues to act. India has undertaken several steps for the protection, detection and containment of these potentially disruptive attacks against the nation’s networks. Initiatives such as Digital India and Smart City and the increasing involvement of the private sector in nation-building endeavours are progressive steps that are also increasing the scope and complexities of cyber security efforts.

The national cyber security policy lacked the following key elements:

• Milestones and performance measures.
• Cost and resources.
• Roles and responsibilities.
• Linkage with other key strategy documents.

India has taken several steps in the recent past to strengthen its cyber defence capabilities. It is time now to enunciate the National Cyber Security Strategy.

Critical Issues to be Addressed in the Indian Context

Command and Control Set-Up: There should be no ambiguity in the responsibility of organizations for cyber security. In the USA, the National Security Agency and Cyber Command come under the Department of Defence. In the UK, the GCHQ comes under the Foreign Ministry. In Israel, the National Cyber Bureau, directly under the Prime Minister, regulates activity in cyber space. In our context, NTRO has been entrusted with this responsibility which doesn’t come under any ministry and operates directly under the Prime Minister’s Office (PMO). The interplay between the Ministry of Defence (MoD) and the armed forces, Ministry of Home Affairs (MHA), intelligence agencies, both internal and external, needs to be clearly demarcated. Who will carry out offensive cyber operations in a conflict scenario: can an intelligence agency do it, keeping in mind the rules of engagement or the laws of armed conflict?

National Critical Information Infrastructure: The National Critical the Information Infrastructure’s Protection Centre (NCIIPC) was formed under the National Technical Research Organisation (NTRO). For some selected critical infrastructures, NCIIPC takes the lead role. For other non-critical structures, it is the responsibility of the CERT-In. The National Disaster Management Authority (NDMA) under the MHA also has the responsibility for protection of cyber critical infrastructure. Though, it has done very little on this issue. CERT-In is an advisory body and not an implementation agency. Responsibility and authority for all the sub-sectors of the critical information infrastructure should be clearly demarcated and made accountable.

The lead agency to formulate a national security polity is the Ministry of Electronics and Information Technology (MeitY). This ministry does not have control over powerful ministries and departments like the MoD, MHA and NTRO. The way our ministries work, in stovepipe systems, the interaction sharing of information, earmarking of specific roles and assignment of responsibility suffer.

We generally follow the US model. The appointment of the National Cyber Security Coordinator directly under the PMO is seen as a positive development: a lot of good work has been done by the National Security Coordinator. However, he does not have any executive power since he is not under any ministry. He is not in the loop for operations undertaken by the intelligence agencies. The staff for the National Cyber Security Coordinator is meager for a country as huge and diverse as India. In the US, the post of the National Cyber Security Coordinator has been abolished as it was found that this post had become an extra-constitutional authority and was interfering with the rou