The Ministry of Information Technology has already adopted a National Cyber Security Policy adopted in 2013 by the Kapil Sibal ministry and continued by the new Government. The Cyber Security Task Force of NASSCOM-DSCI has tried to take a deeper look at the policy issues involved in the Digital India initiative which may require some changes to the strategic elements of the policy.
The National Cyber Security Policy 2013 identifies the following as a vision statement.
” To Build a secure and resilient cyberspace for citizens, businesses and Government”
The Mission statement proceeds to state as under:
“To Protect Information and Information Infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation”
It may be observed that while the vision statement includes the” security of citizens” as one of the objectives, the mission statement focusses only on “Protection of Information and Information Infrastructure”. Protection of “Citizens” is not found in the mission statement. This is the typical approach to information security which we often call the “Technical Approach” which fails to recognize that behind every information there are “people” . This approach also fails to recognize that when there is a breach of information security, these information owners get hurt and hence the information security policy should not forget that protection of these people behind information as the main objective of any security initiative.
To draw a parallel, if there is a terrorist attack on a building containing people, the security objective of “Secure the Building from collapsing” will be good enough to prevent the people from direct exposure to gun fire but will not be sufficient to prevent a biological warfare in which a lethal gas is aimed at the air vents. The security focus cannot therefore be the building but the people behind the walls of the building.
Similarly the vision and mission statement of a National Cyber Security Policy should consider protection of Citizens as the core focus and cannot stop at protecting the infrastructure which is only a step in the direction.
This is the prime reason why the National Cyber Security Policy as it exists is inadequate to protect the Citizens (who will also be Netizens in this context) and we need a separate policy for protection of the Citizens and Netizens. (Naavi.org has once called them as Cinezens).
Since we already have a National Cyber Security Policy in place, in order to achieve the objective of ensuring that the protection of Citizens and Netizens without a need to scrap this policy, we suggest building additional sub policies within the cyber security policy to protect the people from the vagaries of Cyber Space.
The role of this policy within the overall context is indicated below.
The protection of people from the adverse impact of the developments in Cyber Space consist of two distinct faces. One is the “Financial Impact” and the other is the “Non Financial Impact”. The non financial impact consists of reputation harm that is difficult to be easily converted into monetary terms. All other adverse aspects of Cyber Crimes/Terrorism/warfare that has an effect on financial impact can be brought under one category.
We need a policy exclusively addressing the protection of Citizens from such financial losses. We can have a single policy to address all incidents of financial loss suffered by the Citizens irrespective of whether it is an act of Cyber Crime, Cyber Terrorism or Cyber warfare. This aggregation is required since the end victim cannot distinguish what is a crime committed by an individual for himself or on behalf of a terror outfit or a state actor.
It is this sub policy which we shall call “Cyber Fraud Prevention Policy” and urge the Government to formulate as a part of the Digital India project.
The undersigned has created a local circle to take this discussion further on www.localcircles.com with a title “Save Digital India from Cyber Frauds”. If you have a view on this subject and contribute to the formulation of a draft policy which can be forwarded to the Government, I request you to join the local circle.