Cherian Samuel is an Associate Fellow at the Institute for Defence Studies and Analyses in Delhi, India.
Monday, October 15 saw the release of the Government of India’s Recommendations of the Joint Working Group on Cyber Security. The Joint Working Group was created in July 2012 and included representatives from various ministries as well as the private sector, namely the Federation of Indian Chambers of Commerce and Industry, The National Association of Software and Services Companies, the Data Security Council of India and the Confederation of Indian Industry. The entire exercise was coordinated by the National Security Council Secretariat.
At first glance, this brief 4-page document does not live up to the expectations and hype surrounding its release. In terms of concrete proposals, it calls for the establishment of a few more committees for enhanced capacity-building; Information Sharing & Analyses Centres for various sectors; an Institute of Cyber Security Professionals of India; and four pilot projects in areas such as studying vulnerabilities in critical information infrastructure. As far as the other recommendations are concerned, while they are laudable and would greatly improve the country’s cybersecurity posture if implemented in letter and spirit, the document is silent on the crucial issue of funding.
Nonetheless, this is an important first step and one can see the glimmer of an unfolding multi-pronged strategy to get ahead of cybersecurity challenges at various levels. One of the major inhibitors to date has been an official mindset of distrust of the private sector in matters of security. As National Security Advisor Shivshankar Menon noted while releasing the report, this change in outlook has been dictated by force of circumstances. The unrelenting penetration of government, military, and other networks; the inability of existing institutional and regulatory mechanisms to deal with these new threats; continuing confusion over contradictory government policies that have tried to balance security and economics; and the somewhat belated realization that cybersecurity could be a sunrise sector for Indian industry have all played a part in the government’s interactions with the private sector. This new partnership envisages collaboration on virtually every aspect of cybersecurity: capacity-building, research and development, training of law enforcement agencies, and even the formulation of India’s position on global cybersecurity policies.
The last aspect also bears watching, as it appears that the government is recalibrating its international positions on cybersecurity to take a more proactive role in international fora and provide thought leadership on the various related issues. To enhance its credentials with the many nongovernmental and private sector actors that support Internet governance now, the government has made a recent foray down the multistakeholder route through its India Internet Governance Conference. Decisions are also imminent on the military front after discussion within the Indian Armed Forces on the contours of a cyber command.
The most vital aspect is the partnership with the private sector. However, where the current initiative is concerned, the devil is in the details, and those details remain sketchy. The Joint Working Group that brought out the Recommendations has been converted into a permanent group and tasked with fleshing out the specifics. As has been pointed out in other commentaries, the Indian IT industry, for all its size, is rather narrowly focused on a few areas like system integration, and new competencies in both hardware and software industries would have to be created to attain the goals envisioned in the Report.
In the meantime, the hype has already had its effect; I received a call from a company peddling a cybersecurity product. This turned out to be a glass film that has been certified to prevent eavesdropping even by the U.S. National Security Agency and apparently adorns the windows of the White House. One can safely expect many more companies and fly-by-night operators to climb aboard what they imagine to be the cybersecurity gravy train that’s just leaving the station.