National Cyber Security Policy 2020 .. in anticipation

According to reports a new National Cyber Security Policy (NCSP ) is presently under development by the National Cyber Security Coordinator (NCSC) and may be released in early 2020.

This is good news because the earlier NCSP was released in 2013, by the then Planning Commission, and I have always wondered what the hell did the PC know about cyber security as to be able to come up with a national policy. This fear was not unfounded and there was a lot of stink when I read the paper.

This is good news because the present NCSP is being drafted by the highest office for Cyber Security in the country. This means that it will be discussed and created by experts. I understand that a committee of experts has been put together by the NCSC and they are on the job.

Expectations from the upcoming NCSP

As a concerned citizen I look forward to the NCSP 2020 and pray that the provisions will be put into effect. I pray it will have sharp teeth and that it will be able to catalyze (desperately needed) change.

A general vision for cyber security for the nation has been articulated by the Hon’ble Prime Minister in a number of forums, and has been repeated by the Ministers and officials in MEITY and MHA. I pray that the NCSP 2020 will embody the same spirit of aggressiveness and innovation as demonstrated by the present government across the board.

IndiaWatch wish-list for NCSP2020

There are a few suggestions I have, for inclusion in the policy, which are based on my experience and learning and I hope that it finds it;s way to the office of the NCSC for consideration.

Firstly, the underlying objective (in addition to others) must be to create an environment of trust between the government and the cyber security ecosystem. There are many factors which contribute to the lack of trust and this needs to be addressed. How will the government do this, or what is the problem – these are questions I would not like to put out in public as I am not qualified to provide how-to guidance to the government.

1. Central Cyber Security Audit Bureau (CCAB)

On the lines of the office of the CAG, the CCAB will be a center of excellence and expertise which will undertake Cyber Security audits of sensitive installations. This bureau will also develop standards and frameworks based on international best practices and localized to the needs in the national environment.

The rationale is that

• This task should be taken out of NCIIPC mandate as presently they are the organization which is making the policy and then providing the implementation guidance to the CII entities. This is a conflict of interest situation and well recognised in simple infosec implementations.
• We cannot expect private audit firms to be allowed to access sensitive defence, space, nuclear etc installations.
• At present the CERT empanelled auditors are considered for every audit but this is a risk. Further these designated auditors have zero accountability.
• The recent KKNPP incident is the harbinger of times to come and the nation cannot be in reactive mode

2. Cyber security and ethics learning / education

This subject should be included in the learning of every citizen, from Kindergarten to University level. It will mean the redesign of school curriculum, text books should include cybersecurity considerations and education should inculcate a sense of understanding and knowledge of cyber security, risks and opportunities. The nation must realize that every domain in real life has a cyber ‘factor’ and whether we like it or not the march of technology will slowly and steadily intrude and embed itself into every facet of life.

A National Talent Search should be proposed through the appropriate authority to help identify young geniuses who can be mentored for responsibilities and thus supplement the capacity building goals.

3. Cyber Security Research

Research should be (really) promoted and this should be done more aggressively. Our traditional method of giving grants is still followed and it is a highly complex process. Besides the complexity, private institutions are not eligible which may put a large population of students at a disadvantage of not being able to swim in the mainstream of cyber security innovation. The process for disbursing grants should be made simple and quick. Medium / long term research projects should be supported.

3.1 Central Agency to Monitor Research Projects

A central agency as a single window for clearance and monitoring of research applications and grants. The mandate will include review and reporting of utilization of funds, patents developed, research output, impact / value to the nation, development of cyber security capacity / capability etc.

4. Association of Cyber Security Professionals

An organization on the lines of ICAI should be set up. This will help provide a national code of conduct and bring professionalism as well as provide direction in education and training. The association will also be the vehicle to respond to fake news and disparaging reports which are published by foreign entities from time to time.

4.1 Certification

This will be a major undertaking for the Association. It may be noted that there is not a single (domestic) certification or education program that is known. At the same time it must be said that presently the nation sends out about $ 100 million every year as fees paid for certifications and maintenance of credentials.

• Organizations like CDAC, NEILIT have developed programs and certifications but there is very low level of industry recognition.
• I had written about certification earlier … https://www.indiawatch.in/cyber-security-certifications-missing-in-makeinindia/

5. Setting up Sectoral CERTs

It was a goal but seems to have been another wishful thought. The news of Sectoral CERTs has got a lot of traction since 2013 but without any apparent tangible progress. The NCSP 2020 should provide firm timelines for the setup and operational readiness of Sectoral CERTs and this must have oversight by CERT-IN as the nodal agency. It is funny to think or different CERTs doing different things and CERT-IN being clueless in the event of a cyber attack.
– I had learned that CERT-In was also not in the loop with some of the entities which had been talking and claiming to have set up the first sectoral CERTs.

8. Regulator Accountability

If it can and makes sense then this should also be a part of the guidance. The other option can be to make this as part of the mandate for CCAB. This will ensure that regulators like RBI, NPCIL, SEBI, IDRBT, NABARD, PCI, TRAI enable effective oversight in their domain. There is a lot of loose work happening under the watch of the regulators and no one is worried about the future implications.

There are many more thoughts, and I shall continue to add to this list.

There are great hopes for a policy which works and is made to work for establishing adequate and effective security and resilience in the national information infrastructure.

#NationalCyberSecurityPolicy #NCSP2020 #cybersecurity