India’s upcoming National Cyber Security Strategy will deal with cyber insurance, Lt Gen. (Dr) Rajesh Pant, the National Cyber Security Coordinator, said on Monday. He reiterated that the much awaited Strategy is in the final stages of approval, and will deal with subjects such as indigenisation of technology and decentralisation of cybersecurity responsibilities. It is also expected to have provisions for funding cybersecurity work.
Pant was speaking at the event “CyberComm: Cyber Security for Atmanirbhar Bharat”, organised by the Federation of Indian Chambers of Commerce and Industry (FICCI). He said the the National Cyber Security Strategy is currently being considered at the “highest level” awaiting signatures. The five-year Strategy (2020-2025) has been in the works since 2019 and will succeed India’s 2013 cybersecurity policy. Pant had earlier said that the Strategy is just awaiting nod from the Cabinet and will hopefully be out in October.
Policy will recommend legislative framework for cyber insurance
Pant said that the the policy will include a legislative framework for cyber insurance. Cyber insurance is an under-explored concept in India. In an April 2019 report, the Data Security Council of India (DSCI) had noted that only 350 cyber insurance policies had been sold in 2018, accounting for a yearly cyber premium of just ₹80-100 crore. A more recent report from July 2020 by the Financial Express put this figure at ₹200-220 crore during the previous financial year, while the share of the overall insurance premiums in the country amounted to ₹1.89 lakh core. A detailed policy on this subject will likely provide a fillip to this niche insurance sector.
The upcoming policy will also contain frameworks for cyber education — how to process threat intelligence —, cyber audits and cryptology.
Indigenous capability building a key focus
One of the key focuses of the policy will be building indigenous capabilities. Pant noted that there are very few companies working in the cyber security space in India. “I hardly find indigenous products […] There are very few companies in this field,” he said. Pant suggested FICCI to set up a cell dedicated to the cyber security industry, which can help aggregate efforts and prevent duplication.
Pant also noted that it is an unrealistic aim to want all elements of a network to be indigenous. Taking the example of 5G, he said, not everything even has to be indigenous. He suggested there could be a junction box of sorts, through where all data in a system passes through, “that after it has passed through this, there is not malware”. This box, he said, can be indigenous.
Everyone will have responsibilities
Pant said that the upcoming policy will be based on the concept of “common but differentiated responsibility (CBDR)”. “Cybersecurity is the responsibility of everyone — individuals, private sector and business […] Cybersecurity is not a separate for private sector and government sector. When attacks take place, the IP [address] could be of anyone,” he said. The country will have sectoral and state-based CSIRTs (Cybersecurity Incident and Response Teams),” he said. In a May interview with MediaNama, Pant had said that all states should have security operation centres (SOCs) and CSIRTs. At the time, he had said the different sectors, such as finance and power, also have to create their own SOC “because one CERT-In cannot look after such a large nation as ours”.
Pant said that the highest priority would be accorded to “critical infrastructure” such as atomic energy, space, transportation, business, financial sector and so on. The policy will prescribe an “assurance defence posture” for the country.
Budgetary allocations likely: Pant hopes the policy will also set aside a budget for funding cybersecurity work. He took the example of the United Kingdom’s strategy, which has set aside a considerable sum for implementation. “We are trying something like that here to our best efforts. It is not easy always — the finance part.”
Cyber crimes a growing concern
Pant said that cyber security has assumed great importance, becoming a “dirty, dangerous game”. Criminals, he said, had no qualms about attacking infrastructure of hospitals even during the pandemic. “The situation will become more and more complex once we talk about smart cities, Industry 4.0, 5G etc,” he said.
India lost ₹1.25 lakh crore in 2019: According to officials figures, Pant said, India has lost ₹1.25 lakh core due to cyber crimes in 2019. To drive home his point, he also referred to a forecast by Cybersecurity Ventures which predicts that the world will lose $6 trillion to cyber crimes in 2021.