India’s National Cyber Security Strategy 2020 is ready and is now just awaiting cabinet approval, National Cyber Security Coordinator Lt Gen. (Dr) Rajesh Pant said on Friday. He hopes that the Strategy — which will “cater to the entire [cybersecurity] ecosystem” and discusses “how to strengthen existing systems” — will be released in October, the month that is globally considered the cybersecurity awareness month. The “inter-ministerial part”, where inputs are sought from different ministries and accordingly incorporated in the policy, “is over”, he said. Pant was speaking at a virtual cybersecurity conference organised by industry body Assocham.
The five-year Strategy (2020-2025) has been in the works since 2019 and will succeed India’s 2013 cybersecurity policy. In December 2019, the National Security Council had invited comments on the Strategy, and it was meant to be released in the first quarter of the year. COVID-19, however, upended those plans.
In an interview with MediaNama in May 2020, Pant had told us that the Strategy now includes a section on tele-working “since this virus has changed the threat scenario to a great extent”. “The entire section has been added and, in some places, [the Strategy] has been tweaked because in the next five years, lot of the impact of COVID is going to be felt. Consequently, there will an impact on the cybersecurity part also. We have done that and now it’s going through its versions of cabinet paper being approved, etc.,” he had earlier said.
‘Use of data for influence operations should be curtailed’
Pant addressed recent reports that a China-based company has “allegedly been harvesting personal data of 2.4 million people in which there are Australians, Americans and 10,000 Indians”. “And the allegation is that it is all going to be used for influence operations,” he said. Calling it a “very dangerous trend that has to be curtailed”, he called the next decade — 2020s —, “the decade of digital trust”.
Pant is currently heading a committee of experts to evaluate the impact of digital surveillance by Zhenhua Data and assess if it has violated any laws, the Indian Express reported. The committee is expected to submit its recommendations within 30 days.
‘Cybersecurity requires balancing national interest, international collaboration’
“On the one hand, we say there are no borders in cyber work, but on the other, the national interest of the nation has to be maintained. That is the difficult job we are placed in because national interest is supreme and cyber requires international collaboration,” Pant said. That requires “delicate balancing”. No nation, by itself, can carry out exhaustive threat intelligence. And “for protection, you need threat intelligence and timely access to it,” he said.
‘Indigenous solutions will be required to build digital trust, Indian companies will be promoted’
Pant acknowledged that in some places, technology may not allow indigenous solutions, but in certain places, “we definitely have to have our indigenous solutions”. To that end, addressing Indian companies that were attending the virtual discussion, he said, “Entire market of cybersecurity is entirely open to you” and that “we [the government] are ready to promote you”.
In his interview with MediaNama, Pant had stressed on the need for indigenisation. He had mentioned that like Singapore, India is also trying to build a National Malware Repository.
At the virtual event, Pant explained that earlier, radio access network of a device could be separated from its core network, but with the advent of 5G, that will no longer be possible since 5G requires very low latencies. “Now the action and response time has to be very less, just in microseconds,” he said. Radio access network is the network between the mobile phone and the tower while the core network includes device-specific data management. “Computing, that was earlier in the core, has now come to the edge of the network. … And if that was not enough, now you have got IoT [internet of things] devices as well”. This is what makes identifying placing where “our own” routes of trust so important.
‘CISOs will have added responsibilities’
“I don’t think many enterprises will have the luxury of having a separate CISO [chief information security officer] and a DPO [data protection officer],” Pant said. Having a DPO is a mandatory requirement under the Personal Data Protection Bill, not a CISO. Thus, the “CISO will have added responsibilities”, Pant said.
The Cyber Security Coordinator also hoped that the Personal Data Protection Bill, which is currently being deliberated upon by a Joint Parliamentary Committee, would be introduced in the ongoing monsoon session of the Parliament, “otherwise definitely in the winter session”. He acknowledged the report on the governance of non-personal data and mentioned that he had read comments submitted by Genie Gan, the APAC head of public affairs at Kaspersky who was also a speaker at the event.
‘Identity and access management assume more importance post-COVID-19’
Identity and Access Management (IAM), that proves the security of an end point, will be very important post COVID-19, Pant said. “How do I prove my identity? How do I ensure that the end point I am using is safe, that the application I am using is safe?” he explained.
At a virtual event in May 2020, Pant had explained that as people work from home, the security of the end point, such as the laptop or the smartphone is not guaranteed: All elements in the network chain, such as the home router, access points, IoT devices a person is connected to, etc. can be vulnerable.