It is reported that the government will release a new cybersecurity strategy this year. Based on the information provided by National Cyber Security Coordinator, Rajesh Pant, it is expected that the strategy would cover the entire ecosystem of cyberspace in India and ensure “a safe, secure, resilient, vibrant, and trusted cyberspace.” Reportedly, some of the elements of the cybersecurity policy will cover the concept of data as a national resource, building indigenous capabilities and cyber audits.
At the outset, a robust cybersecurity policy should be rooted in global security and privacy principles, while being adapted to deal with local concerns. However, the success of such a policy will arguably also be linked to levels of cyber and digital literacy amongst the relevant stakeholders. Lack of cyber-literacy is possibly one of the top issues underlying the exponential growth in cyber-attacks in recent times. The updated policy should focus on this element in addition to laying out key principles for preventing cyber attacks. Some of the key principles have been highlighted in this piece.
Large-scale digitalisation of public services (e.g. vaccination portals) requires that the government invest in robust security training for internal staff as well as contract with the state of the art technology and cloud service providers. As much as building indigenous capacity is critical in this regard, it should be noted that one of the best ways to build indigenous capacity, in the long run, is to enable global sources of updated and innovative technologies to enter the Indian markets and bring their best practices in. This also involves investment in critical infrastructure that the public sector may be using to provide such services on the scale.
Private sector: In addition to strengthening cybersecurity practices in the public sector, it is also critical to empower the private sector in this regard. There has been an increase in cybersecurity attacks across the world during the pandemic, as the private sector has pivoted to work-from-home settings. The Data Security Council of India (DSCI) has observed that 90-95 percent of the 4.36 million Indian technology workforce had successfully transitioned to a work-from-home model in a very short time with the advent of the pandemic, and this naturally gives rise to concerns about cybersecurity across the supply chain.
In this regard, the future cybersecurity policy should encourage the growth and development of security firms, and enable the private sector to undertake risk profiling of their systems and customers, investing in robust security systems and updates, and putting in place necessary controls to allow for continuity of remote operations without the increased risks.
Priority sectors: The advent of digital payments and better telecommunication services have necessitated specific investments in digital security in these sectors. Any cybersecurity policy should specifically account for the concerns and issues faced by payment and telecom operators and offer a supportive framework to address the issues raised by them.
The DSCI has recommended in its submission on the National Cybersecurity Strategy that one way to deal with concerns in specific sectors (such as payments) is by profiling sectors, their digitization plan, architectural developments, technology adoption, possible exposures, and prioritise areas for intervention in consultation with the sectors. It also important to pay special attention to the supply chain in these critical sectors.
In addition to the National Cybersecurity Policy which is a great step forward in dealing with the current crisis of security, it is important that the Government streamline certain regulatory principles in data governance. For instance, it appears that “data as a national asset” may be a key theme in future policies as per public reports. However, this principle is not aligned with global frameworks and may not serve the interests of future policies.
Similarly, one of the ways in which the proliferation of healthcare-related scams has been dealt with is by increasing obligations on intermediaries, which have in reality played an important role in dealing with the COVID-19 crisis. Increased intermediary liability is not necessarily the best approach to address the proliferation of scams. A better strategy is to build awareness and more resilient systems that hold strength against spam and phishing attempts.
Finally, a key principle to note while formulating and enforcing cybersecurity principles and laws in India is that there needs to be a focus on capacity building — both at the side of companies (especially SMEs) and at the user end. No cybersecurity policy, however robust, would have the desired impact without sufficient focus on capacity building and user awareness across cyberspace including the public sector, private sector and priority sectors as discussed above.
This article was originally published in CNBC TV18 on 18 August 2021 Co-written by: Shahana Chatterji, Partner; Raktima Roy, Senior Associate. Click here for original article
Contributed by: Shahana Chatterji, Partner; Raktima Roy, Senior Associate
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that: