5 Essential Points That Should Make It To India’s New Cyber Security Policy

I’ve been a long passive participant in India’s cyber security policy space. After the announcement of Digital India initiative back in 2015, a cyber security task force was built to formulate India’s stance on cyber security in years to come. I got an opportunity to be a part of it and give my inputs. Now, a few years post that announcement, I welcome the recent announcement made by our PM in his Independence Day speech about the new Cyber Security policy.

When it comes to cyber security as a whole (not just the policy), I’ve been an active participant in the space. Been protecting India’s business with our security suite ‘Astra Security’ by defending against millions of attacks every month and uncovering thousands of vulnerabilities. Even got awarded by our PM Shri Narendra Modi at Global Conference on Cyber Security.

With this active participation over these years and having an on ground view of the threats we face as a nation – I think the following 5 points should absolutely be included in our new cyber security policy, with a revision every 2-3 years (considering how fast cyberspace is moving):

State sponsored threat retaliation strategy

One of the biggest threats a nation faces is state sponsored targeted threats from other nations. Quite recently, Australia has been a victim of a state sponsored attack. In such attacks government infrastructure, private infrastructure and citizens are targeted at the same time in a series of cyber attacks. This Advanced Persistent Threat (APT) is something which poses a big challenge.

Truth be told, just having a policy to tackle state sponsored APT won’t be enough. The policy needs to define a ‘retaliation’ action plan too.

Important points to be noted:
- The policy should define or make a provision to define an ‘action plan’ in case of a state sponsored attack.
- Containing the APT won’t be enough. There needs to be a clear ‘trapping’ plan to have enough data on the origin of the APT or state sponsored threat.
- A retaliation plan should also be in place if need arises to fend off the enemy.
- These plans need to have a clear flow from policy to a government department executing it. ‘Mock drills’ for such scenarios need to be done.
SoS lockdown policy

When a cyber attack happens, there can be a mass disruption in services/infrastructure. There needs to be a clear nationwide lockdown policy for key infrastructure of the nation. We are talking about nuclear grids, power grids, financial institutions, satellite communication etc.

Whenever a nation wide security incident/attack happens, it’s often well thought out and planned for months if not years. In such cases, the bad actors know which components to target first. This makes it important to have a lockdown policy to ensure critical infrastructure is protected during such time and damage is controlled.

Important points to be noted:
- SoS lockdown policy should not be completely public as that might give bad actors information on areas where the country is most focused at.
- The lockdown policy will require cyber security specialists to be deployed or trained in each of the critical sectors
Security framework for 5G & iOT devices

With 5G setting foot, the rise of iOT devices is inevitable. This means more devices connected to the internet and each other. This also means ‘smart’ being appended to everything we can think of.

This calls for a security standard to be defined for all the 5G devices coming to the market. The best case would be the government defining security standards of these new internet connected devices with the help of security companies.

Important points to be noted:
- A clearly defined certification or ‘standard’ needs to be put out for iOT devices.
- Government or government authorized departments/companies should ensure these newly entering iOT devices meet privacy requirements and security standards ensuring private data of citizens isn’t at risk.
- These are the devices which will be kept at our homes, in our cars & bedrooms – the privacy risks can be un-imaginable. One cannot take any risk with this one.
Nationwide cyber security training

India has the responsibility of bringing 600 million+ population to the internet ‘safely’. That, while ensuring its current population already on the internet (over 700 million) is security conscious.

Important points to be noted:
- ‘We are as strong as our weakest link’, our training programs should be built with this principle in mind. When it comes to cyber security, even in most tech savvy organizations, humans have been found to be the weakest links.
- This nation wide training has to be done in a way that less savvy people understand at least basic do’s and don’ts of the internet.
- Our banks have been largely successful in raising awareness around banking frauds. It’s always a work in progress, but in today’s world more people understand that they don’t have to give their online banking password, CVV or any other sensitive information to anyone, even if the other person claims to a bank official. Such awareness against social engineering will definitely meet a certain threshold of cyber security. Ofcourse, such models are constantly evolving.
- Training over SMS, IVR and emails need to be made at a mass scale, in a way the common man understands.
Enforcing security standards on private companies & rewarding

The nation should have a cyber security standard defined for every private company. Every company uses emails for communication and has a website even if it is not an internet business. The government should clearly define what is expected of private companies when it comes to cyber security and what are the consequences of not meeting the expectations. Ideally, this should be not more than a 2 page checklist. Making it straightforward and easy to understand will encourage companies to follow the guidelines.

When a country faces a cyber security challenge, it’s private organizations are also on the radar of hackers. It’s important their infrastructure is also secure.

Important points to be noted:
- The security standards defined for private companies should be in checklist form.
- Government should reward the organizations that follow these standards. This reward can be in the form of publicly displayable certificates which can be verified on government websites or even some tax rebates.

The fact that our government is talking about updating our cyber security policy and preparing it for the upcoming innovations means that we’re headed in the right direction. Considering the privacy concerns and data at stake, information security is not a luxury but a necessity. Having a strong cyber security policy means that the government is not only looking out for the data of its citizens but also inspiring confidence so that foreign companies choose India over other nations for their expansion.

I strongly believe, the countries having a strong cyber security policy which is implemented neatly will have a massive advantage on all fronts in years to come.

We asked a cyber security expert at India’s top tele communication provider about their views on the upcoming new policy, here’s what she has to say: