The National Security Council Secretariat is seeking comments for the formulation of the National Cyber Security Strategy 2020 (NCSS 2020) until December 31, 2019. Comments can be submitted here till December 31, 2019. The comments are sought on three pillars of cyber security: secure (national cyberspace), strengthen (structures, people, processes, capabilities), and synergise (resources including cooperation and collaboration). MediaNama has learnt that the final strategy will be released in the first quarter of 2020. There is no draft policy yet.

National Cyber Security Coordinator (NCSC) Lt Gen. (Dr) Rajesh Pant had said in June 2019 that a cyber security strategy would be released in 2020. At that time, he had indicated that there would be a consultation:

“5G will change the entire scope of cybersecurity in India. There are new aspects like ransomware, and IoT was not there. So with these changes, there is going to be a new strategy for dealing with cybersecurity. We have created a small team and we will write something and we will get comments from people.”
— Lt Gen. (Dr) Rajesh Pant on June 21, 2019

A task force, under NSCS, is responsible for formulating a five-year strategy (2020-25). The call for comments takes into account that Dr Pant had previously mentioned and includes cloud computing and AI, too. It also raises issues of “include data protection/privacy, law enforcement in evolving cyberspace, access to data stored overseas, misuse of social media platforms, international cooperation on cybercrime & cyber terrorism”.

It remains to be seen how NCSS would interact with the pending Personal Data Protection Bill which is listed for introduction in this Parliament session. It is also interesting that the call for comments raises the issue of “access to data stored overseas”, suggesting that the cyber security strategy might also deal with data localisation. We have reached out to Dr Pant’s office for more information. India’s previous cyber security policy was released in 2013.

Dr V. Kamakoti, a computer science professor at IIT Madras who is also a member of the National Security Advisory Board under PMO, told MediaNama that this strategy will not be restricted to computer science or information security, but will deal with “critical infrastructure from public utilities to finance to insurance to aviation, and strategy projects such as space and nuclear programmes”. In Kamakoti’s opinion, the final strategy should explain the mandate of every organisation, such as NCIIPC (National Critical Information Infrastructure Protection Centre) and CERT-In (Computer Emergency Response Team), as “that mandate will enforce a procedure on it”.

This call for comments on a Cyber Security Strategy comes a month after the cyber attack on Kudankulam Nuclear Power Plant’s information technology system, not the operational network that controls the actual functioning of the power plant. ISRO had also reportedly been breached by the same cyber attackers.