What is the enabling legal environment for securing cyberspace? The Information Technology Act, 2000, amended in 2008, mandates corporates to implement reasonable security practices to protect information. There is no such legal mandate for government departments and ministries.
Even for the private sector, the implementation of best security practices is not uniform, since the government has not notified any auditing mechanism for enforcement. For the banking sector, the Reserve Bank of India has mandated implementation and auditing processes. It is relatively better prepared to face cyber challenges. Banks have also started sharing information on threats and attacks among themselves. Information sharing and analysis centres hold the key to becoming alert.
The Computer Emergency Response Team-India (CERT-IN) was the first entity created by the Union government to focus on cybersecurity in the country. It has disseminated threat information to enable organisations engage in proactive defence. The IT industry set up the Data Security Council of India (DSCI) in 2008 to promote best security practices in the sector, and to help India become a secure outsourcing destination.
While CERT-IN and DSCI have worked in their domains, a public-private partnership model is essential for all industry verticals and governments to leverage best practices. This is the norm in the US and the European Union. Unfortunately, such partnership remains elusive in India.
Government departments are not well equipped with resources—both in terms of technology and skilled manpower. It is thus not uncommon to come across news about hacking of sites, since these are not using hardened platforms, nor are they audited by experts. However, critical projects like passport, customs and company affairs are well-protected, since they invest in adequate resources and work with globally recognised outsourcing companies such as TCS, Wipro, Infosys, Tech Mahindra and HCL. These companies have imbibed the security culture and the best practices their global clients demand of them. They have eminently delivered services to their satisfaction. The IT sector is the most mature in its preparedness, and the country can benefit immensely in all the sectors if its services are leveraged.
Cybersecurity is incomplete if cybercrimes go unpunished. There is need to build capacity of law enforcement agencies in investigation and cyber forensics. Cyber forensic labs are required for the success of Smart Cities Mission and Digital India. With the Internet of Things connecting such cities, crimes will only increase, leading to the need for more capacity and capabilities.
The programmes for law enforcement agencies and the judiciary need to be scaled up. DSCI Cyber Labs, which has trained more than 45,000 police officers in several cities, are on the verge of closure, since requisite support from the government is not forthcoming. The IT industry is not likely to operate them indefinitely.
The gaps in the IT Act present a challenge to security. Lack of encryption policy, and data retention and data privacy concerns pose strong challenges to cybersecurity. The barriers of entry for attackers are now very low. Cyberspace allows anonymity, and it is very difficult, if not impossible, to attribute attacks to specific persons or countries.
Finally, tracking attackers requires collaboration of law enforcement agencies across countries, as logs of their activities may be located in servers and networks in different jurisdictions. Most of the crimes in the physical world have footprints in the cyberspace—call data records, location data, emails and social media logs. Global cooperation in cyberspace, especially among law enforcement agencies, is critical to collecting evidence.
It is here that the opportunities afforded under the US-India cyber relationship, announced after the Modi-Obama meeting on June 7, should be leveraged, as most of the information is with service providers like Facebook, Google, Twitter, Microsoft, LinkedIn, WhatsApp, YouTube and Skype. But, for that, India has to build capabilities in cyber forensics, by establishing state-of-the-art labs in all state capitals and emerging smart cities, monitoring social media, training police personnel and updating laws for collection of evidence.
The cycle gets closed only with the judiciary being trained to understand and appreciate cyber evidence in all its dimensions. This has to be an ongoing exercise. If cyber criminals go unpunished, the trust in cyberspace will erode, and e-banking, e-governance and smart cities will not be able to live up to their potential.
Bajaj is mentor professor, NIIT University. He was founder director, CERT-IN and founder CEO, DSCI.