(Continued from previous Post)
India already has a National Cyber Security Policy 2013. In 2020, DSCI also brought out an updated suggested Cyber Security Strategy 2020. Karnataka also published a Karnataka State Cyber Security policy 2024. Earlier Tamil Nadu had published a similar policy. We need to keep all these under our radar to develop the draft Indian Cyber Resilience Act.
The National Cybersecurity Policy of 2013 is a comprehensive framework established by the Government of India aimed at protecting the country’s information infrastructure and managing the associated risks. This policy was introduced in response to the increasing threat landscape and the need for a robust cybersecurity strategy to safeguard critical information infrastructure.
The National Cyber Security Strategy suggested by DSCI highlighted 21 key focus areas aimed at creating a secure, reliable, resilient, and growth-and-trust-fostering cyberspace for India.
The Karnataka Cybersecurity Policy 2024 aims to build a secure and resilient digital ecosystem in the state. It focuses on safeguarding critical infrastructure, promoting cybersecurity awareness, and fostering innovation in security technologies. The policy encourages collaboration between the government, industry, and academia, and provides incentives to cybersecurity startups. By strengthening data protection and implementing global best practices, Karnataka seeks to become a leading hub for cybersecurity, ensuring the safety and trust of its digital economy.
In the light of these past efforts let us see what should be the contours of the Indian Cyber Resilience Act. We shall place our suggestions in a series of articles here and codify it in the end.
The first principle we need to adopt is to define the “Cyber Space” and the law making jurisdiction.
When Indian Constitution was drawn , there was no recognition of Cyber Space. Hence the law enforcement obligations were divided built into Union List, State List and concurrent list. As a result States are assuming legislative powers and State Police is assuming powers to handle Cyber Crimes as if they are crimes associated with the geographical boundaries of the State.
This is the biggest hurdle in Cyber Crime management that needs to be removed.
Cyber Space is like the extended geographical boundaries on the sea in air etc and has to be addressed as a separate law making jurisdiction.
The powers of the State should be only for implementation of law made by the Union which should be considered as the only law making power.
All Cyber Policing activity should be brought under the “National Cyber Police Force”. The I4C and NTRO may be functioning as National agencies but they need to be brought under proper National authority so that Interstate crimes and Cyber Terrorism can be handled.
Since Cyber Space has no boundaries, the National Cyber Space boundary is not limited to the geographical boundaries. The entry and exit points of our Cyber Space boundary lies in every internet connected device. Hence our military needs to be responsible for protecting every Cyber attack including what we are today recognizing as Cyber attacks on individual systems.
We already have a Cyber Command in the form of Defence Cyber Agency which acts like a Cyber Command for military operations. We need to create a unit of this as Cyber Border Security Force so that the apex control rests with the military to tackle State actors.
Thus one of the first efforts should be to integrate the activities of multiple agencies like the DCyA, I4C, NTRO, CERT In, NCIIPC etc into a single unified “National Cyber Resilience Command Authority”. While individual autonomy can be preserved, the overall policy has to be synchronized with a unified structure.
This is one of the prime responsibilities of the IN-CRA.
Naavi
