National cybersecurity strategy should spur digital resilience

Amandeep Singh Kapoor

Director, Central Detective Training Institute, Jaipur

WHEN asked which country has the best cybersecurity strategy, ChatGPT first hints at your naivete with the usual verbosity and euphemisms, but after dishing out the usual leaderboard, it throws up some surprises. Estonia is shown to have developed a highly secure digital infrastructure, while South Korea has established a strong legal framework and invested heavily in cybersecurity education.

Studies of cybersecurity strategies of various countries, available in the public domain, are a revelation. The International Telecommunication Union has a repository of national cybersecurity strategies of its member states, be it in the form of a single or multiple documents or as an integral part of a broader National Security Strategy.

With India preparing to roll out its cybersecurity strategy, studying the approaches of other nations is a timely exercise. It actually comes out that Estonia has put forth its third national cybersecurity strategy document (2018-2022) (after 2008-2013 and 2014-2017) with a horizontal strategy that predates the EU’s 2013 strategy. Ukraine has the most crisp strategy paper in the public domain, while the UK’s strategy focuses on a whole-of-society approach and integrating cybersecurity into emerging technologies (security by design). The US released its third cybersecurity strategy in March this year, marking a comprehensive effort to secure its cyberspace.

As this is the most recent document available, the US cybersecurity strategy would offer a good template to study its evolution. After the 9/11 attacks, the existing policy (Presidential Decision Directive 63 of 1988) was updated in 2003 with the National Strategy to Secure Cyberspace. Through the Homeland Security Presidential Directive 7, the Secretary of Homeland Security was made responsible for coordinating critical infrastructure protection efforts.

The Comprehensive National Cybersecurity Initiative was launched in the US in 2007 to combine cyber defence missions with law enforcement, intelligence, counter-intelligence and military capabilities. In 2015, the ‘Clean Slate Review’ evaluated US policies on cybersecurity and established a clear command structure. The 2023 Cybersecurity Strategy emphasises the integration of law, policy, protection of civil liberties, privacy, public safety, national and economic security interests.

A similar thrust for executing cybersecurity strategies in letter and spirit was followed in other spatial strata such as the EU and the Far East due to the use of deviant technologies as tools of furtherance of geopolitical plans of dubious states.

India has shown that it can innovate population-scale initiatives which can democratise markets constituted by Aadhaar, UPI, GST Network and Ayushman Bharat. With the use of digital commons in the form of an open protocol and digital economy being in focus, applications such as the Open Network for Digital Commerce (ONDC) are in the offing to unlock the value trapped within the ecosystem. Many such population-scale applications shall follow, hence the need for a no-nonsense cybersecurity strategy and paving the way for surefooted digital resilience and digital trust.

India’s first cybersecurity policy was introduced in 2013. The National Cyber Security Coordinator and the National Security Council Secretariat (NSCS) are integrating India’s cybersecurity architecture and policies. The draft National Cybersecurity Strategy, 2023, focuses on compliance with global security standards and an enabling regulatory framework for a secure cyberspace ecosystem. The 2023 strategy is based on common but differentiated responsibilities (CBDR), recognising the different responsibilities of individuals, businesses, academia and the government. All citizens using cyberspace and information networks must secure the part that they own or for which they are responsible. It will be interesting to observe how horizontal the strategy would be, dovetailing the domains or theatres under the National Security Strategy as well as digital commerce, financial technology and future technologies with cybersecurity needs. Also, how will a whole-of-nation approach be adopted?

There is a clamour that, like the Corporate Social Responsibility policy, public and private sectors must allocate 2 per cent of their productivity towards national critical infrastructure and space cybersecurity. Earlier this year, the Union Government approved the Space Policy 2023; it may eventually be incorporated in the Comprehensive National Security Strategy.

Policymakers must address key issues. What red flags can 5G impose? Can repositories of blacklisted entities and best practitioners of cyber resilience be created, ranked and made shareable? Do we create something like the US National Institute of Standards and Technology cyber framework or continue with the Bureau of Indian Standards’ ISO certification and audits? Can the ONDC pose data theft and cybersecurity challenges? Conversely, can we give cybersecurity tools and services an ONDC-type platform? How to improve the Security Operations Centre efficiency by incorporating the User and Entity Behaviour Analytics as well as other advanced security analytics, artificial intelligence (AI) and machine learning capabilities into SIEM (security information and event management) platforms? What about regulating Metaverse and AI? Hopefully, the best and worst practices shall be shared by the departments dealing with cybersecurity, critical infrastructure and Internet governance with the NSCS. Conformity assessment (product, process, technology and people) and an enabling regulatory framework would elicit a good response.

Strategising warfare or its prevention was never easy. Godspeed to the team at work.

Join Whatsapp Channel of The Tribune for latest updates.

#ChatGPT