Critical Gaps

An extract from Maj. Gen. P.K. Mallick’s essay on Cyber and Space Strategy for India

Indian Cyber Space

The most significant event was the introduction of the Information Technology (IT) Act as early as 2000 and the promulgation of the National Cyber Security Policy by the Ministry of Communications and Information Technology in 2013. The Indian Computer Emergency Response Team (CERT-In) was established in 2004 and continues to act. India has undertaken several steps for the protection, detection and containment of these potentially disruptive attacks against the nation’s networks. Initiatives such as Digital India and Smart City and the increasing involvement of the private sector in nation-building endeavours are progressive steps that are also increasing the scope and complexities of cyber security efforts.

The national cyber security policy lacked the following key elements:

• Milestones and performance measures.
• Cost and resources.
• Roles and responsibilities.
• Linkage with other key strategy documents.

India has taken several steps in the recent past to strengthen its cyber defence capabilities. It is time now to enunciate the National Cyber Security Strategy.

Critical Issues to be Addressed in the Indian Context

Command and Control Set-Up: There should be no ambiguity in the responsibility of organizations for cyber security. In the USA, the National Security Agency and Cyber Command come under the Department of Defence. In the UK, the GCHQ comes under the Foreign Ministry. In Israel, the National Cyber Bureau, directly under the Prime Minister, regulates activity in cyber space. In our context, NTRO has been entrusted with this responsibility which doesn’t come under any ministry and operates directly under the Prime Minister’s Office (PMO). The interplay between the Ministry of Defence (MoD) and the armed forces, Ministry of Home Affairs (MHA), intelligence agencies, both internal and external, needs to be clearly demarcated. Who will carry out offensive cyber operations in a conflict scenario: can an intelligence agency do it, keeping in mind the rules of engagement or the laws of armed conflict?

National Critical Information Infrastructure: The National Critical the Information Infrastructure’s Protection Centre (NCIIPC) was formed under the National Technical Research Organisation (NTRO). For some selected critical infrastructures, NCIIPC takes the lead role. For other non-critical structures, it is the responsibility of the CERT-In. The National Disaster Management Authority (NDMA) under the MHA also has the responsibility for protection of cyber critical infrastructure. Though, it