5 essential points that should make it to India’s new cyber security policy

By Shikhil Sharma

Cyberspace security has become the need of the hour as companies increasingly switch to digital business models. Cyber security hasbecome a common concern (and term) in the boardroom meetings.  

With an active rise in the interest of cybersecurity and having an on ground view of the threats we face as a nation - I think the following 5 points should be included in our new cyber security policy, with a revision every 2-3 years

1. State-sponsored threat retaliation strategy

One of the biggest threats a nation faces is state-sponsored targeted threats from other nations. Quite recently, Australia became victim of a state-sponsored attack. In such attacks government infrastructure, private infrastructure and citizens are targeted at the same time in a series of cyber attacks. This Advansed Persistent Threat (APT) is something which poses a big challenge. 

Truth be told, just having a policy to tackle state sponsored APT won’t be enough. The policy needs to define a ‘retaliation’ action plan too. 

Important points to be noted:

• The policy should define or make a provision to define an ‘action plan’ in case of a state sponsored attack.
• Containing the APT won’t be enough. There needs to be a clear ‘trapping’ plan to have enough data on the origin of the APT or state sponsored threat.
• A retaliation plan should also be in place if need arises to fend off the enemy.
• These plans need to have a clear flow from policy to a government department executing it. ‘Mock drills’ for such scenarios need to be done.

2. SOS lockdown policy

When a cyber attack happens, there can be a mass disruption in services/infrastructure. There needs to be a clear nationwide lockdown policy for key infrastructure of the nation. We are talking about nuclear grids, power grids, financial institutions, satellite communication etc. 

Whenever a nation wide security incident/attack happens, it’s often well thought out and planned for months if not years. In such cases, the bad actors know which components to target first. This makes it important to have a lockdown policy to ensure critical infrastructure is protected during such time and damage is controlled.

Important points to be noted:

• SOS lockdown policy should not be made public fully as that might give enemy the information.
• The lockdown policy will require cyber security specialists to be deployed or trained in each of the critical sectors.

3. Security framework for 5G & iOT devices

With 5G setting foot, the rise of iOT devices is inevitable. This means more devices connected to the internet and each other. This also means ‘smart’ being appended to everything we can think of. 

This calls for a security standard to be defined for all the 5G devices coming to the market. The best case would be the government defining security standards of these new internet connected devices with the help of security companies.

Also Read : Now, EU imposes cyberattack sanctions on Chinese nationals linked to Chinese intelligence agency
 

Important points to be noted:

• A clearly defined certification or ‘standard’ needs to be put out for iOT devices.
• Government or government authorized departments/companies should ensure these newly entering iOT devices meet privacy requirements and security standards ensuring private data of citizens isn’t at risk.
• These are the devices which will be kept at our homes, in our cars & bedrooms - the privacy risks can be un-imaginable. One cannot take any risk with this one.

4. Nationwide cyber security training

India has the responsibility of bringing 600 million+ population to the internet ‘safely’. It should also be ensured that current population already on the internet (over 700 million) is security conscious.

Important points to be noted:

• ‘We are as strong as our weakest link’, our training programs should be built with this principle in mind. When it comes to cyber security, even in most tech savvy organizations, humans have been found to be the weakest links.
• This nationwide training has to be done in a way that less savvy people understand at least basic do’s and don'ts of the internet 
• Our banks have been largely successful in raising awareness around banking frauds. It’s always a work in progress, but in today’s world more people understand that they don’t have to give their online banking password, CVV or any other sensitive information to anyone, even if the other person claims to be a bank official. Such awareness will definitely meet a certain threshold of cyber security. Ofcourse, such models are constantly evolving.
• Training over SMS, IVR and emails need to be made at a mass scale, in a way the common man understands.

5. Enforcing security standards on private companies & rewarding 

The nation should have a cyber security standard defined for every private company. Every company uses emails for communication and has a website even if it is not an internet business. The government should clearly define what is expected of private companies when it comes to cyber security and what are the consequences of not meeting the expectations. Ideally, this should be not more than a 2 page checklist. Making it straightforward and easy to understand will encourage companies to follow the guidelines. 

When a country faces a cyber security challenge, its private organizations are also on the radar of hackers. It’s important their infrastructure is also secure.

Important points to be noted:

The security standards defined for private companies should be in checklist form.

• Government should reward the organizations that follow these standards. This reward can be in the form of publicly displayable certificates which can be verified on government websites or even some tax rebates.

The fact that our government is talking about updating our cyber security policy and preparing it for the upcoming innovations means that we’re headed in the right direction. Considering the privacy concerns and data at stake, information security is not a luxury but a necessity. Having a strong cyber security policy means that the government is not only looking out for the data of its citizens but also inspiring confidence so that foreign companies choose India over other nations for their expansion.

I strongly believe that countries having a strong cyber security policy that can be implemented neatly will have a massive advantage on all fronts in years to come.