CYBER POLICY in India
National Cyber Security Policy
The “National Cyber Security Policy” has been prepared in consultation with all relevant stakeholders, user entities and public.
• This policy aims at facilitating creation of secure computing environment and enabling adequate trust and confidence in electronic transactions and also guiding stakeholder’s actions for protection of cyber space.
• The National Cyber Security Policy document outlines a road-map to create a framework for comprehensive, collaborative and collective response to deal with the issue of cyber security at all levels within the country.
• The policy recognizes the need for objectives and strategies that need to be adopted both at the national level as well as international level.
• The objectives and strategies outlined in the National Cyber Security Policy together serve as a means to:
i. Articulate our concerns, understanding, priorities for action as well as directed efforts.
ii. Provide confidence and reasonable assurance to all stakeholders in the country (Government, business, industry and general public) and global community, about the safety, resiliency and security of cyber space.
iii. Adopt a suitable posturing that can signal our resolve to make determined efforts to effectively monitor, deter & deal with cyber crime and cyber attacks.
Salient features of the policy
In brief, the National Cyber Security Policy covers the following aspects:
• A vision and mission statement aimed at building a secure and resilience cyber space for citizens, businesses and Government.
• Enabling goals aimed at reducing national vulnerability to cyber attacks, preventing cyber attacks & cyber crimes, minimising response & recover time and effective cyber crime investigation and prosecution.
• Focused actions at the level of Govt., public-private partnership arrangements, cyber security technology related actions, protection of critical information infrastructure and national alerts and advice mechanism, awareness & capacity building and promoting information sharing and cooperation.
• Enhancing cooperation and coordination between all the stakeholder entities within the country.
• Objectives and strategies in support of the National cyber security vision and mission.
• Framework and initiatives that can be pursued at the Govt. level, sectoral levels as well as in public private partnership mode.
• Facilitating monitoring key trends at the national level such as trends in cyber security compliance, cyber attacks, cyber crime and cyber infrastructure growth.
National Cyber Security Policy 2013
INDIAN COMPUTER EMERGENCY RESPONSE TEAM (CERT-IN) – SECURING THE NATIONAL CYBER SPACE
Indian Computer Emergency Response Team (CERT-In) was established by the Department of Information Technology, Govt. of India, in January 2004 with a specific mandate to respond to computer security incidents. With the passage of Information Technology (Amendment) Act 2008, CERT-In has been designated as Nodal agency for coordinating all matters related to cyber security and emergency response. It is now assigned with the task of oversight of the Indian cyber space for enhancing cyber protection, enabling security compliance and assurance in Government and critical sectors and facilitating early warning & response as well as information sharing and cooperation.
Within few years of existence, CERT-In has been able to establish itself as a trusted referral agency with necessary capabilities to respond to cyber security incidents. In the process, CERT-In has been able to get into working relationships with all the leading security organizations and vendors across the world in the form of MoU, to achieve the necessary force multiplier effect in responding to cyber security incidents. In addition, specific capabilities have been developed to engage itself in effective cyber forensic as well as analysis of malicious codes.
CERT-In has published a Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism in the country and is working towards its implementation across Govt. and critical sectors in the country. In order to support the organizations in the critical sector and the Government in enhancing their ability to resist cyber attacks and improving their security posture, CERT-In has created a panel of IT security auditors that can provide wide range of security auditing services on commercial basis. With this kind of institution building activities, CERT-In is now able to provide its reactive and proactive services on 24×7 basis and is effectively collaborating the international agencies engaged in similar work for real time information sharing and problem resolution in the cyber space.
In order to effectively secure the Indian cyber space, CERT-In is assisting the Department of Information Technology to put in place a national cyber security strategy and a national information security governance policy.
The elements of national cyber security strategy are:
In pursuit of the cyber security strategy, CERT-In has been working towards Preventing cyber attacks against country’s critical information infrastructure; Reducing national vulnerability of cyber attacks and Minimizing damage and recovery time from cyber attacks.Specific challenges in securing the cyber space are:
Reaching out to the user community in creating necessary awareness on the need for cyber security and also on the need for them to play their roles in a responsible manner
Sharing of information with CERT-In with regard to the occurrence of cyber security incidents to enable better preparation and prevention.
Overcoming the technical and legal barriers to move beyond our country’s borders to reach the sources of trouble – Most serious cyber crimes such as economic fraud, cyber terrorism and cyber war fare are invariably perpetrated from sources located outside the country using networks of compromised computers located both inside and outside the country. Since the sources of trouble are outside the country, invariably there would be technical and legal challenges to deal with and actually getting to the root of the problem. For this purpose, increased international cooperation is the need of the hour and CERT-In has been able establish good working relationships with international organizations such as AP CERT & Forum of Incident response (FIRST, US) and overseas CERTs.
For ensuring safety and security of cyber space, it is not only necessary to have an effective incident response mechanism such as the one already established by CERT-In, but also develop suitable ability and mechanism to harness real time information on the cyber security incidents even before they occur. In view of this, future roadmap of CERT-In includes real time incidents information collection, analysis and dissemination for effective security incidents prevention and protection.
Cyber Security Threat
There have been attempts from time to time to penetrate cyber networks operating in Government. These attacks have been observed to be originating from the cyber space of a number of countries including China. It has been observed that the attackers are compromising computer systems located in different parts of the World and use masquerading techniques and hidden servers to hide the identity of actual system from which the attacks are being launched. Hence, it is difficult to attribute cyber attack to a particular country.
A sophisticated virus called as “Stuxnet” was reported to be spreading worldwide since July 2010. The virus targets Industrial Control Systems. The following specific steps were taken by the Government immediately after the threat was reported:
Alerts and advisories about the Stuxnet threat were issued on website of the Indian Computer Emergency Response Team (CERT-In). Measures to be taken to detect infected systems, dis-infect the same and prevent further propagation were advised to all critical sector organizations in the country.
Government in association with Internet Service Providers (ISPs) and security vendors tracked the infected systems and advised the owners of the systems to dis-infect the same. Workshops were conducted by CERT-In and other government agencies jointly for critical sector organizations to create awareness and suggest steps to be taken to counter the threat.
Further, the government has taken the following measures to protect cyber networks:
• Department of Information Technology and Electronics has circulated Computer Security Guidelines and Cyber Security Policy to all the Ministries/ Departments on taking steps to prevent, detect and mitigate cyber attacks.
• All Central Government Ministries/ Departments and State/Union Territory Governments have been advised to conduct security audit of entire Information Technology Infrastructure, including websites, periodically to discover gaps with respect to security practices and take appropriate corrective actions.
• Setting up of Early Warning and Response to cyber security incidents through the Indian Computer Emergency Response Team (CERT-In) and to have collaboration at national and international level for information sharing and mitigation of cyber attacks. CERT-In regularly publishes Security Guidelines and advisories for safeguarding computer systems and these are widely circulated. CERT-In also conducts security workshops and training programs on regular basis to enhance user awareness.
• The ‘Crisis Management Plan for countering cyber attacks and cyber terrorism’ was prepared and circulated for implementation by all Ministries/ Departments of Central Government, State Government and their organizations and critical sectors.
• CERT-In is conducting mock cyber security drills to enable assessment of preparation of organizations to withstand cyber attacks.
• The Information Technology Act, 2000 as amended by the Information Technology (Amendment) Act, 2008 has been enforced on 27.10.2009. The Act provides legal framework to address the issues connected with security breaches of information technology infrastructure.
• National Informatics Centre (NIC) managing Govt. websites and providing e-mail service is implementing measures to secure the Govt. IT infrastructure from cyber attacks.
Revamping Cyber Security Apparatus
Government is aware of the nature of the threats in Cyber Space and is taking appropriate measures to address these threats by way of an integrated approach with a series of legal, technical and administrative steps to effectively deal with the issue of cyber security in the country and to ensure that necessary systems are in place to address the growing threat of cyber attacks. In support of this approach, the Information Technology Act, 2000 has included adequate provisions for protection of critical information infrastructure and cyber security incident response in the country.
In order to address the issues of cyber security in a holistic manner, the Government has come out with a draft “National Cyber Security Policy” after public consultation, to unify the various activities and programmes of the Government to address the cyber security challenges with an integrated vision and a set of sustained & coordinated strategies for implementation. In addition, Government is taking various measures to ensure necessary awareness and robust security system in all the critical Government agencies.
Salient features of the steps taken by the Government