The Indian cyber security establishment is still in a rudimentary stage, with a lot of loopholes in the current cyber policy. A key opportunity for strategy moving forward is to focus on our cyber assets. As a nation, we’re vulnerable to Chinese and Pakistani cyber warriors. In 2006-2007, China created approximately 2,50,000 cyber warriors. In fact, they’re giving a lot of thought in the area of cyber security.
On the other hand, preparedness is lacking on the Indian side. We’re always reactive in our response, instead of being proactive. We also lack institutional measures. There exists a huge gap between what we say on paper and what is implemented.
In the past few years, our position on cyber security has inclined towards China and Russia. For instance, to curb the Tibetan movement and the TLA, information around the subject isn’t allowed online in China. Similarly, India has moved from critical infrastructure protection towards information control. A case in point is the incident where two girls from Palghar were arrested after making posts on Facebook.
Information is monitored. It seems the State is using the cyber space as a tool to curtail information. Russia always feared revolution by the West, and Chinese feared trouble around Tibet. Both countries curbed information.
India now does it with Facebook and Twitter. The Government asks companies for information, which is not necessarily a great thing. As a liberal democracy, we’re more aligned to protecting critical infrastructure rather than curbing information access.
Good practices we can adopt
1. We need to have simple guidelines. Most importantly, use the Internet in an effective manner. Government agencies need to be standards-driven. We need to maintain ISO standardisation and certain specific standards. We also need a body to audit the implementation. If compliance isn’t happening, and there are no penalties, then there is no accountability.
2. We also need to look at protecting infrastructure, rather than curb information. Certifications need to be tightened, strengthened and standardised.
3. We need monitoring capabilities and ensure compliance with standards.
4. We need to standardise cloud security. Services such as Apple, Google and Facebook are used on a wide scale. These factors are thought through in the US and Europe, but India needs to look at it seriously. Awareness is lacking. If you speak to Indian citizens online, who put photos online, the threat to security doesn’t register. We need to add layers of security in regulation.
5. India needs to partner with the industry. The industry has a lot to offer for security. The industry puts into practice far more stringent measures than what the government requires. They invest a lot more to ensure their networks are secure. We could imbibe best practices. We need to look closely at security. In cyber security, it eventually comes down to the individual, not the establishment or a nuclear installation. Civil society and the industry should be consulted.
What could possibly be our response plan?
We need a standard operating procedure. We need to consider factors whether we need to police? Whether there is a plan in place to deal with cyber attacks.
We need to try simulations. It is easier for the adversary to attack cyber properties rather than nuclear facilities.
Other countries have taken simulations seriously and figure the best methods to a secure set up. Instead of being clueless, if you simulate a potential threat, you are better prepared and capable in terms of capability – mentally and psychologically.
We need anti-malware signatures with the latest technologies. We need to be mentally alert all the time, and with our systems. Instead of foreign tech, we need to develop indigenous technologies.