Despite its best attempts and some very creative thinking, the Indian government’s efforts to chart an independent course in cyberspace have met with consistent failures and frustrations. Its Cybersecurity Policy, published last month, is a case in point. Released amidst the growing controversy over revelations regarding the American electronic eavesdropping program, this policy document is the culmination of deliberations that the Indian security establishment has been carrying out with various stakeholders for the past three years. The stated intent was to develop a concrete plan to protect the national information infrastructure through a balanced, holistic approach within the ambit of public-private partnership. Unfortunately, what has instead emerged is a diluted, vague list of goals that the government has no clear strategy to implement.
To begin with, the document is plagued with definitional issues, not the least of which is the term “cybersecurity” tautologically defined as “security of cyberspace.” In fact, the lack of this fundamental definition sets the rest of the policy to falter from the get-go by not giving it specific objectives to pursue or a clearly-demarcated framework in which to work. The document states a few concrete measures like operating a National Critical Information Infrastructure Protection Centre (NCIIPC) and requiring every organization to designate a Chief Information Security Officer. For the rest, the document offers merely generic prescriptions which are uncontroversial but ineffective without clearly laid-out implementation strategies.
For instance, it promises to encourage open standards, which has been a universally accepted goal since the advent of standardized manufacturing. However, it fails to spell out how it plans to overcome the coordination issues which have been hindering the acceptance open standards across the world for all these years. It promises to develop a dynamic regulatory framework for technological developments without explaining what this framework would aim to do; or how it plans to regulate technological developments carried out beyond Indian borders. It also aims to create “systems, processes, structures and mechanisms” to identify and mitigate existing and potential threats. Again, there is no specificity beyond trusting the Indian Computer Emergency Response Team (CERT-In) to do it with its limited mandate and resources.
Meanwhile, the document avoids addressing some of the most basic and polarizing debates like the role of civilian versus military establishment in cybersecurity, privacy versus security, censorship versus freedom of speech, and use of indigenous security products versus importing vulnerable technology. It also does not recognize the inherent global nature of the Internet, essentially treating the “cyberspace” to be restricted within national borders. It also fails to link up cybersecurity with the global debate on Internet governance or with the question of international cooperation.
In short, the policy aims for an ideal security situation without a clear roadmap of how to get there, while refusing to make any hard choices. Moreover, almost all the concrete measures that it mentions are initiatives that are already underway. In a way, the document is a recap of the previous ideas, rather than a guide towards the future. It neither gives any hint of government's thinking on Internet-related issues nor provides a framework on which successive governments can build further. One cannot be faulted for presuming that such policy document was the result of a lack of interest.
However, the reality is quite different. Since the beginning of this decade, the government has been extremely sensitive to the growing challenges of cyberspace and has been actively seeking to develop a viable response. This recognition of the gravity of cybersecurity was prompted by a series of events in the late 2000s which highlighted India's vulnerability. The cable disclosures of Wikileaks, the accidental proliferation of Stuxnet, and the discovery of the Gh0stNet were events to which India could neither mitigate nor respond. In the aftermath, New Delhi resolved to be better prepared for the next crisis. In the new decade, the government has made a marked effort to be a bigger actor in cyberspace, globally and within the country. Nevertheless, as we have seen, it has not been able to articulate a coherent strategy or decide on any of the contentious issues.
There are several factors for these frustrations. To begin with, government’s efforts remain scattered to a great extent, which is natural given the absence of a cybersecurity czar. So, for instance, while coordination of cybersecurity among various sectors of economy remains under the ambit of CERT-In, a civilian agency under the Department of Information Technology, the charge of protecting critical information infrastructure has been given to National Technical Reconnaissance Organisation (NTRO), a specialized intelligence-gathering agency. Meanwhile, most of the cybercrime is expected to be dealt with by the local police under state governments in combination with outside consultants. Similarly, the division of labor on the international front remains unclear, with Ministry of External Affairs deciding Indian position in the United Nations and Department of Information Technology representing India in international telecom organizations.
More significantly, there is a misunderstanding of the threat, both in its intensity and dimensions. To take the example of the above mentioned document, there is little clarity on what is being protected and from what it is being protected. Barring critical infrastructure, there is no delineation between, say, government networks, corporate networks, individual data, data carriers and third party data services. This sense of limitless threat is evident in almost all government cybersecurity initiative, attempting to protect everyone from everything and in the process, ending up protecting nothing.
To be sure, absurd threat exaggeration has been endemic in cybersecurity since the advent of the Internet. Complexity of the subject has also made recognizing appropriate threat level difficult. However, for New Delhi, the situation has been exceptionally confusing, partly due to limited institutional capacity and partly due to the government’s eagerness to adopt international (i.e. Western) standards and frameworks. Informed by inflated assessments of western security establishments which are often contested in their own countries, the Indian government has ended up with a very muddled conception of the threat. For instance, Stuxnet, which has been highlighted by western analysts largely because of its political implications, is often mentioned in the Indian government circles as an example of growing cybersecurity challenges. On the other hand, Conficker, which is a potentially much deadlier malware, is barely mentioned since it was ignored by the foreign governments. This tendency is not new, almost all previous internet-related policies in India have been heavily influenced by international models beginning from the IT Act of 2000. The government is often insistent on “harmonizing” its policies with international standards, even though, in many cases, such standards are yet to exist.
Looking at technologically-advanced nations for policy inspiration is usually a good idea, but in this instance is misguided. India’s dependence on the Internet is very limited compared to that of the West. Mechanization and digitization of the Indian economy is at a rudimentary level and is likely to remain so in the short term given the abundance of cheap labor in India. The Indian IT industry, being largely service-oriented rather than product-oriented, has little stake in the integrity of the Internet beyond their own networks. In terms of Internet penetration and sophistication of use, India lags far behind other major countries, with non-essential services like social media constituting the primary use for the majority of the population. Moreover, Internet dependence in various sections of Indian economy is far more varied compared to the West.
It is essential for India to take a focused view of the risks in cyberspace instead of expecting the presence of a limitless threat. It was this expanded view which has led to the lack of specificity in the government’s thinking and in its inability to grapple with tough choices. It has also made it challenging for the government to mark and limit its own role in cybersecurity.
Sandeep Bhardwaj is a Research Associate at the Centre for Policy Research, New Delhi.
India in Transition (IiT) is published by the Center for the Advanced Study of India (CASI) of the University of Pennsylvania and partially funded by the Nand and Jeet Khemka Foundation. All viewpoints, positions, and conclusions expressed in IiT are solely those of the author(s) and not specifically those of CASI and the Khemka Foundation.
© 2013 Center for the Advanced Study of India and the Trustees of the University of Pennsylvania. All rights reserved.