The COVID-19 pandemic affected the implementation of the union government’s cybersecurity project, the National Cyber Coordination Centre (NCCC), leading the government to revise down funds required by half in financial year 2020-21.
For FY2020-21, the Ministry of Electronics and Information Technology (MEITY) revised down funds from Rs 170 crore (Budget Estimate) to Rs 80 crore (Revised Estimate) under the head Cyber Security Projects (NCCC & Others). Note that from the budget documents, it appears that CERT-in, NCCC, and the broader cyber security projects by the union government receive budgets under two heads: “Cybersecurity (NCCC & CERT-in)” and “Cyber Security Projects (NCCC & Others)”. The latter allotment is made under PM Narendra Modi’s flagship Digital India scheme.
When questioned about the significant downward revision of funds required under “Cyber Security Projects (NCCC & Others)” under Digital India, MEITY said funds used during the first two quarters of FY21 was lower since COVID-19 impacted NCCC’s operations. The actual disbursement was only Rs 24.07 crore being disbursed eventually.
This was disclosed in a report by the Parliamentary Standing Committee on Information Technology, led by Shashi Tharoor, on MEITY’s demand for grants for FY21-22. In the same report, MEITY seemed to cite shortage of funds as the reason for National Cyber Coordination Centre’s implementation remaining incomplete. While detailing the phase-wise implementation plan for NCCC, MEITY said that the full-fledged Centre will be implemented “within a period of one year if requisite funds are provided“.
Now, MEITY’s budget estimates for FY21-22 for the the NCCC, CERT-in, and broader cyber security projects is
- Rs 216 crore for Cybersecurity (NCCC & CERT-in) and
- Rs 200 for Cyber Security Projects (NCCC & Others) under Digital India
Urgency of setting up NCCC cannot be overemphasized: IT Committee
The IT Committee noted with concern that although the NCCC’s setting up was approved back in April 2015 (with an outlay of Rs 770 crore), it was only allotted budgets from FY17-18 and its implementation has been delayed citing shortage of funds. Cyber attacks on critical infrastructure “have become commonplace” and the urgency of setting up NCCC “cannot be overemphasized”, the Shashi Tharoor-led IT Committee noted.
The country can hardly afford the sluggish approach of the Ministry in setting up of NCCC as a pro-active agency in dealing with issues relating to cyber space. The Committee desire that Detailed Project Report which is under consideration of Department of Finance be expedited and the Ministry make adequate provision of funds for Cyber Security Projects (NCCC & Others) scheme so that the project of setting up of NCCC is not delayed any further.— IT Committee Report [emphasis supplied]
What we know about NCCC
The NCCC, which scans and records metadata, was approved in 2013 and was live as of August 2017. The NCCC can “actively” tie up with other cyber intelligence agencies to collect and share data to conduct surveillance, although, via lawful means. It is limited to online and cyber intelligence and collects data through tie ups with other intelligence units. The government’s meta data scanner is likely to have access to NATGRID and also information collected by agencies under the Home Ministry.
According to MEITY’s submission to the Committee on NCCC’s status, the government said it had set up the Centre to generate “real-time macroscopic views” of cyber security threats in India. Here’s what we learnt from the Committee’s report:
- Objective: It is a multi-stakeholder body being implemented by CERT-In at MEITY, that scans and shares metadata online and coordinates among different agencies to mitigate cyber security threats. NCCC’s objective is to secure India’s cyberspace through security policy, compliance and assurance, incident early warning, security training and so on.
- Approval and timeline: The setting up of the NCCC was approved with an outlay of Rs 770 crore for a period of five years and was initiated in April 2015 after approval.
- Phase I: In Phase I, the project on Threat and Situational Awareness (NCCC Test Bed) has been implemented. Phase-I of NCCC was operationalised in July 2017, where in metadata from 20 sites of ISPs and organisations is being analysed. Another 15 remote sites are targeted to be operationalised by August, 2021. Steps have been taken for implementation for the remaining 250 metadata collection sites. The office space is currently being renovated. Data Centre co-location services is being hired for primary and disaster recovery site for NCCC.
- Posts: A total of 65 posts (60 S&T and 5 non-S&T) were sanctioned in yr. 2016 out of which 57 posts have been filled (54 S&T and 3 non-S&T), recruitment for remaining posts is currently going on. A proposal for creation of remaining 59 posts (S&T and non-S&T) as per the NCCC Detailed Project Report (DPR) is under consideration with Department of Expenditure, Ministry of Finance. The full-fledged NCCC will be implemented within a period of one year if requisite funds are provided, MEITY said.
Budgets allotted over the years
Cyber Security (CERT-in & NCCC) | Year: Budget Estimate, Revised Estimate, Actual
- FY21-22: Rs 216 crore
- FY20-21: Rs 140 crore, Rs 90 crore, Rs 61.22 crore
- FY19-20: Rs 42 crore, Rs 35 crore, Rs 29.98 crore
- FY18-29: Rs 40 crore, Rs 31.83 crore, Rs 29.90 crore
Further, the Ministry also allots more funds under the Digital India programme for cyber security under the head Cyber Security Projects (NCCC & Others) | Year: Budget Estimate, Revised Estimate, Actual
- FY21-22: Rs 200 crore
- FY20-21: Rs 170 core, Rs 80 crore, Rs 24.07 crore (as of February 1, 2021)
- FY19-20: Rs 120 crore, Rs 102 crore, Rs 92.07 crore
- FY18-29: Rs 110 crore, Rs 110 crore, Rs 107.48 crore
Make CoWIN, Aarogya Setu secure: IT Committee
Both the CoWIN app and the Aarogya Setu app need to work in conjunction to be effective against COVID-19, the Committee noted in its report.
MEITY informed the Committee that CoWIN will serve as a backend application for ensuring “smooth” vaccination sessions and Aarogya Setu will serve as the frontend citizen facing application. The Committee stressed upon the need for apps to sync since they have been developed by two different ministries, CoWIN by the Health Ministry and Aarogya Setu by MEITY.
As vaccination progresses, and the apps garner significant user bases, they become “susceptible and lucrative targets” for cyber attacks, such as the phishing attack targeting the COVID-19 vaccine cold chain, the Committee noted. It recommended that adequate security arrangements be put in place to ensure that both apps do not fall prey to cyber attacks.
MEITY took note of the global phishing attack on the vaccine cold chain and also disclosed that there were some attacks on some prominent pharmaceutical companies in India. “CERT-in has been at the forefront in detecting this; responding to those issues; and helping the concerned organizations to ramp-up their security as well,” the Ministry had said.
- More than 60,000 cyber crime cases registered between 2016-18: Home Ministry
- National Security Council invites comments on National Cyber Security Strategy 2020 until Dec 31
- Lt Gen. (Dr) Rajesh Pant on India’s National Cyber Security Strategy, Indo-US cooperation, end-to-end encryption and more