Cyber security experts and industry players have welcomed the government’s decision to double budgetary allocation on the Digital India programme to Rs 3,073 crore as an “encouraging move”, but insist that the increased funds allocated should also be utilised to strengthen the country’s cyber security environment. They have said that utilisation of the budgetary allocation holds the key to upscaling the country’s cyberspace vigilance. Experts also want India’s vast talent pool of young security professionals to be utilised to bolster cyber security in the country.
Security professionals, analysts and researchers said that the increased budgetary allocation should be “handled with care” and efforts need to be made to strengthen research in Robotics, Artificial Intelligence (AI), Internet of Things (IoT), cyber assets and information security. Satish Ashwin, Head of Research and Operations at National Cyber Safety and Security Standards and a senior security analyst at Deep Identity India Pvt. Ltd, told The Sunday Guardian: “Increased budgetary allocation is definitely a good step forward, but there are questions over its utilisation and implementation. It is to be seen how the increased funds ensure that incidents like Aadhaar data breach don’t happen.”
The government has said it would increase its focus on cyber capabilities, including developing and researching new technologies that can be leveraged for the future. The allocation for 2018-19 will be used towards implementation of the National Cyber Security Co-ordination Centre (NCCC) Phase-II, providing financial support to three ongoing R&D projects for NCCC and continue support to ongoing projects.
However, experts have called for a paradigm shift in the country’s approach towards cyber crimes like devising a proper policy framework, engaging with the pool of young talent, collaborating with private information security firms and facilitating quantitative and qualitative research in information security.
Vineet Kumar, founder of Jharkhand-based Cyber Peace Foundation, an award-winning NGO and global think tank of cyber security and policy experts, said: “At least the present government recognises the severity of the issue and is giving a great push to data protection. Initiatives like Cyber Swachhta Kendra, cyber thanas in every district, and signing MoUs for international co-operation will go a long way to strengthen cyber security. Having said that, a lot still has to be done.”
Interestingly, while the Internal Security Threat Report of 2017 identified India as the fifth most vulnerable country in the world in terms of cyber security breaches, the second Global Cyber security Index, which measured the commitment of nations to cyber security, ranked India at 23 out of 165 nations.
Combating cyber crimes
According to Romanian cyber security and anti-virus software company Bitdefender, Hide and Seek (HNS), recent malicious cyber threats that have struck several countries across the globe, can deal a severe blow to India. As per the statistics reported by CERT-IN (Indian Computer Emergency Response Team), across the globe, a computer system is targeted every 40 seconds by cyber terrorists, out of which every fifth computer system is in India and the average per annum damage due to these attacks is quantified to be around $10 billion.
Commenting on the country’s existing mechanisms to grapple with cyber security breaches, Kislay Chaudhary, a cyber security consultant with the Central government and Founder of Indian Cyber Army, told this correspondent: “Presently, we don’t have a dedicated policy framework to combat the increasing incidents of cyber crimes. The National Cyber Security Policy 2013 is just paperwork. We need a proper framework and cyber security laws that clearly outline the responsibilities, accountability, and liabilities of internet service providers and intermediary agencies in case of cyber crimes.”
Chaudhary added that with increased dependence on data, the government must adopt a stricter regime to deal with global tech giants like Facebook, WhatsApp, Paytm and Google.
“Facebook and Google, among many others, have all the data of billions of people. Currently, in case a cyber crime takes place, the government has to write to them and request information. There’s no such provision, as of now, that mandates them to reveal the information. This makes us very vulnerable,” Chaudhary said. Experts further added that while several other countries are gearing up to build cyber weapons— ransomware, malware, etc— India has still not initiated efforts on the research front.
Kumar said: “In India, the focus on academia is still missing. In the United States, there are four verticals that work in collaboration to combat cyber crimes. They have industry on one side, the government on the second, civil society on the third, and academia on the fourth.”
According to technology lobby group Nasscom, there is a huge scarcity of skilled cyber security professionals.
However, Anand Prakash, one of India’s highest-paid bug bounty hunters who had large payouts from Twitter and Uber for responsibly disclosing vulnerabilities in their software and websites, disagrees that there’s a lack of talent in the country.
“India has the highest number of bug bounty hunters in the world, as per a Facebook bug bounty report 2017. We are surrounded by young talent today as well as with people with hands full of years of experience. I feel companies and organisations should engage with these ethical hackers,” Prakash said.
Reiterating Prakash’s argument, Chaudhary noted that while Indian ethical hackers are celebrated outside, they remain untapped in the country. He suggested that by engaging with them “we can upscale our vigilance in cyberspace”.
“The existing set of security professionals are not skilled in changing technology, hence the hackers/attackers are easily outsmarting them. We have incredible talent here and global tech giants are luring them. We must engage with them,” he added.
Asserting on the need to breed a fresh set of security professionals, Ashwin said: “Data is the new oil now. The increased dependence on data has given rise to frequent cyber attacks and they are expected to grow with time. We need to start educating children in cyber assets and information security. We need to breed a fresh set of security professionals just as we develop doctors and engineers.” Talking about public-private partnership to develop a potent system to mitigate cyber threats, Kumar added: “Cyber security is not a subject that the government can handle alone. There needs to be a collaborative model between private players and the government. Young people with brilliant ideas to revolutionise the country’s cyber security need to be encouraged.”