The Need for Re-conditioning Of India’s Cyber Security

India’s digital scenario is evolving, followed by growth in information technology infrastructure, mobile and Internet penetration, and government initiatives.

The current way of life has pushed even the most remote users to take to the digital space for nearly all their transactions. Corporates also have a majority of their workforce operating from home now. This increased digital activity has exposed people and business to cyberattacks and data threats like never before. But, in the recent time we have also seen many cyber attackers exploiting any gaps in our data security measures to get what they desire.

Currently, India is operating under National Cyber Security Policy, 2013.The 2020 policy will run for five years. With Chinese apps being banned already, the new policy is expected to ban more.

There are 36 central bodies in India to look after cyber issues in the country. Every organization has its own CERT (Computer Emergency Response Team) and a reporting structure. The Ministry of Electronics and Information Technology has joined hands with National Centre of Excellence to accelerate cybersecurity in India and make it an attractive destination to invest in cyber technologies.

Background

There is an urgent need in India to secure the digital economy. Digital Economy in India contributes to 14% to 15% of its total economy. This is expected to rise to 20% by 2024. There is an urgent need in the country to upgrade cyber security strategy.

In 2016, the banks announced that details of 3.2 million debit cards were leaked. In 2019, the Kudankulam nuclear power plant was attacked by a malware. In 2018, Cosmos Bank of Pune was attacked by malware and the bank lost Rs 94 crores.

India needs to build a strong National Cyber Security Strategy for the following reasons

• Digitization in India is to increase post COVID-19 crisis
• The ransomware attacks in the country has increased due to the increase in RAAS (Ransomware as a Service) operators.
• The current Cyber threat landscape has toughest challenges mainly due to rapid technological developments such as Internet of Things, Cloud Computing, Artificial Intelligence, 5G, etc.

Thus, there is an urgent need for a new updated National Cyber Security policy.

As the regulatory ecosystem tries to match pace with digitization, the awareness among individuals about data security is significantly high. This is evident from the findings of the recently published 2020 Unisys Security Index, India.

The survey revealed the top four security concerns among Indians were related to data security. This includes identity theft, hacking and viruses, bankcard fraud and online shopping. In fact, 83 per cent of the surveyed population stated that identity theft was their topmost security concern, making it the biggest security concern in India.

India also recorded the highest level of concern about the security of shopping online, with 82 per cent of Indians concerned about this issue. An equal percentage of respondents is worried about hacking and viruses and bankcard fraud. These findings reflect concerns around the state of data security in the country- a call to action for all stakeholders. While data security in principle is not limited to the digital world alone, most of the large-scale data thefts happen in the digital world, thereby warranting greater attention.

The accelerated pace of digitization which is expected to continue post COVID-19 as well, and the widespread concerns around data security point to a need for robust data security measures in the country.

Three stakeholders have a key role to play here- individuals, corporates and the government.

Individuals need to be more cyber aware and take necessary precautions to secure their personal and financial data, as they engage in the digital realm.

Organizations that deal with customer data- be it retailers, hospitals or other institutions—have a responsibility to secure the data they collated. They must also be aware of the security risks posed by remote working models and take appropriate measures to secure their data and assets.

The government of the country needs to work towards creating an ecosystem where data security thrives. They can do so through interventions in the regulatory framework of the country that promote a data secure India. A cybersecurity strategy and policy that is in tune with the evolving cyberthreat environment is a must and our government has taken cognizance of the same.

It needs to be taken account of the cyber risks, quantify them and articulate the same in the language of business, so that senior leaders can prioritize becomes vital, considering the limited information security budgets organization have.

Next comes the approach taken to prevent a cyber-attack. There is one common thread to all the recent cyberattacks- the attacker has penetrated the perimeter defences. This shows that the traditional, perimeter security-based approach is failing. The fluidity of today’s threat landscape, disappearing network boundaries and enormous number of connections inside and outside the enterprises increases the attack surface considerably.

Also, once a network is breached, the attacks spread laterally very fast with nothing to curb this movement of the attack vector. It is clear that traditional perimeter security-based approaches do not suffice in the sophisticated threat landscape of today. What organizations need is an approach based on logical segmentation of workloads.

Last, but not the least, data breaches are now considered a matter of ‘when’ and not ‘if’. Organizations need to assume that they will be breached at some point in time and work towards building cyber resilience into their plan of action. Investments in this space will define how quickly they are able to bounce back post an attack.

Zero Trust is a viable alternative and is quickly becoming the de facto security posture for organizations around the world. Zero Trust is a network security model, based on the guiding principle of ‘never trust, always verify’. 

The framework dictates that you cannot trust anything inside or outside your perimeters.  It assumes that the perimeter is dead, and we can no longer operate on the idea of establishing a perimeter and expecting a lower level of security inside the perimeter as everything inside is trusted. This assumption has unfortunately been proven true in multiple attacks as attackers simply enter the perimeter through trusted connections using tactics such as phishing attacks.

A Zero Trust model only allows authenticated and authorized users and devices to access applications and data.

One of the ways of implementing Zero Trust is micro-segmentation. 

Micro-segmentation logically isolates workloads in virtual environments by enforcing granular segmentation policies. This facilitates role-based access, making sure that all stakeholders-internal or external, only have access to the data and segments they need to perform their tasks. Because micro-segmentation can assign security policy at the workload level, the security can persist no matter how or where the workload is moved.

Micro-segmentation, coupled with network monitoring and dynamic isolation also ensures that any breach is not allowed to spread laterally and is contained within that particular segment alone, preventing a breach from growing into a full-blown data theft. Technologies like artificial intelligence, machine learning and biometrics further enhance the effectiveness of a zero-trust based cybersecurity approach. Together, these approaches result in a strong data security posture, that can address the threat landscape of today.

When a country faces a cyber security challenge, its private organizations are also on the radar of hackers. It’s important their infrastructure is also secure.

Government should reward the organizations that follow these standards. This reward can be in the form of publicly displayable certificates which can be verified on government websites or even some tax rebates.

The fact that our government is talking about updating our cyber security policy and preparing it for the upcoming innovations means that we’re headed in the right direction. Considering the privacy concerns and data at stake, information security is not a luxury but a necessity. Having a strong cyber security policy means that the government is not only looking out for the data of its citizens but also inspiring confidence so that foreign companies choose India over other nations for their expansion.

The National Cyber Security Policy is a policy document drafted by the Department of Electronics and Information Technology (DeitY) in 2013 aimed at protecting the public and private infrastructure from cyber-attacks. The guideline also seeks to protect the personal information of internet users, financial and banking information, and sovereign data.

Before 2013, India did not have a cybersecurity policy. The need for it was felt during the NSA spying issue that surfaced in 2013.

Information empowers people and there is a need to create a distinction between information that can run freely between systems and those that need to be secured. This could be personal information, banking and financial details, security information which when passed onto the wrong hands can put the country’s safety in jeopardy.

This Policy has been drafted in consultation with all the stakeholders.

In order to digitise the economy and promote more digital transactions, the government must be able to generate trust in people in the Information and Communications Technology systems that govern financial transactions.

A strong integrated and coherent policy on cybersecurity is also needed to curb the menace of cyber terrorism.

National Cyber Security Policy Vision

• To build secure and resilient cyberspace for citizens, businesses and Government.
• To protect information and information infrastructure in cyberspace.
• To build capabilities to prevent and respond to cyber threats.
• To reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.
• To know how Upgrading India’s cybersecurity architecture will boost national security for India, visit the linked article.

National Cyber Security Policy Objectives

1. Encouraging the adoption of IT in all sectors of the economy by creating adequate trust in IT systems by the creation of a secure cyber ecosystem.

2. Creating an assurance framework for the design of security policies and for the promotion and enabling actions for compliance with global security standards and best practices through conformity assessment.

3. Bolstering the regulatory framework for ensuring a secure cyberspace ecosystem.

4. Enhancing and developing national and sectoral level 24 x 7 mechanisms for obtaining strategic information concerning threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective predictive, preventive, protective, response and recovery actions.

5. Operating a 24×7 National Critical Information Infrastructure Protection Centre (NCIIPC) to improve the protection and resilience of the country’s critical infrastructure information.

6. Developing suitable indigenous security technologies to address requirements in this field.

7. Improving the visibility of the ICT (Information and Communication Technology) products/services’ integrity by having testing and validation infrastructure.

8. Creating a workforce of 500,000 professionals skilled in cybersecurity in the next 5 years.

9. Providing businesses with fiscal benefits for adopting standard security practices and processes.

10. Safeguarding of the privacy of citizen’s data and reducing economic losses due to cybercrime or data theft.

11. Enabling effective prevention, investigation and prosecution of cybercrime and enhancement of law enforcement capabilities through legislative intervention.

12. Developing a culture of cybersecurity and privacy.

13. Developing effective public-private partnerships and collaborative engagements by means of technical and operational cooperation.

14. Promoting global cooperation by encouraging shared understanding and leveraging relationships for furthering the cause of security of cyberspace.

The importance of data security in digital India cannot be overstated. The need of the hour is an ecosystem where individuals, organizations and the government work hand in hand towards building a data secure nation. Technology plays a key role here to help build a secured tomorrow.