One step closer to "Cybersecure" India

Cybersecurity has become a topic of national importance. The average Cost of data breach in India is $2.18M and is ever increasing. The global average is $4.88M, which is a significant increase from the previous year’s average of $4.45M. As recent as earlier this week, a ransomware attack affected 300+ banks in the country and we are still in the damage control more.

Cybersecurity failure is a significant global danger that needs to be addressed. From 2006 to 2020, India saw the third-highest number of serious cyber-attacks. Cyber dangers such as script kiddies, hacktivists, crime syndicates, and nation-state actors hinder citizens' ability to "go digital". The Supreme Court of India recognizes the need of protecting citizens' privacy when using cyberspace. Adolescents and other vulnerable groups experience online damage. Increased internet data generation and sharing poses a risk to privacy.

Cybersecurity policy of state of Karnataka is very well crafted with a great deal of thought process and practical considerations. There is no better authority to draft the first of its kind policy than the state having the Silicon Valley of India. The policy is divided into two major parts.

Part 1: Cybersecurity Policy- Public

Part 2: Cybersecurity Policy- Government

Some of the key highlights of this policy are;

• Emphasize on policies for Public-Government where the focus is on outward and inward actions to create a safe Information Infrastructure.
• Public policy has very clear mention about various avenues for practical considerations.

o?? Focus on general and special awareness considerations (Part 1: Pillar 1)

o?? Skill building through academia-industry partnerships and internships (Part 1: Pillar 2). This even refers to “Cyber-range” like set to promote experiential training.

o?? Focus groups such as women, senior citizens (One of the very well thought part to define the target audience and tailored content for them)

o?? Start up eco systems; their impact and contributions.

o?? Effective leverage of technology

o?? Support for research and innovation (Part 1: Pillar 3)

• Cyber security Policy-Government has a robust framework covering major pillars of security considerations such as;

o?? Creation of asset inventory of IT Assets (This is going to be the most complex part of the implementation)

o?? Risk assessments and risk treatment

o?? Secure Software Development Framework for Information systems (Perhaps this is the second country after the United state’s mention on NIST 800-218A SSDF Framework.)

o?? Focus on security cloud infrastructure

o?? Supply Chain security requirements

o?? Additional efforts to conduct trainings on cybersecurity for Government staff

The policy is a clear result of contributions from experts in the field and government. While there is a lot more to do to translate these into reality through processes, procedures and numerous programs, here are some of the quick observations on some areas that could have made an additional impact to this policy usefulness.

• Expanded definition of Critical Information Infrastructure: The current definition is a very high level. Specific references to expand this to cover applicability to specific industries and government entities would have made the scope much clearer.
• Business Continuity and Disaster Recovery: While there are references to these in sections concerning e-governance applications and infrastructure, the actual scope of Business continuity and Disaster recovery deserves a larger considerations and may be a separate section to define the policy requirements.
• AI Considerations: The policy is silent on security considerations needed for handling systems leveraging Artificial Intelligence. While this may require a complete AI Security Policy itself to cover in full, the policy is recommended to include AI requirements such as “explainability and interpretability”, “reliability” and “responsible design, development and deployment practices”. (Artificial Intelligence Risk Management Framework (AI RMF 1.0)
• Measurement and Reporting: A policy is complete when it has references on how to measure compliance and variations. The policy has sections on operationalization of the policy requirements. However, the policy is silent on how to measure compliance and tackle deviations.

I am sure there will be more discussions and debates on the inclusions, exclusions and implications of this policy very soon. This is only a first cut observation set and more to come. Above all, I consider this policy as welcome step from the government to collaborate more with the industry, academia and experts to improve the cybersecurity posture of the state and the country.

You can find more information on the policy here: https://lnkd.in/gjgNhvua